CN1253685A

CN1253685A - Method and apparatus for managing internetwork and internetwork activity in enterprise

Info

Publication number: CN1253685A
Application number: CN98804499A
Authority: CN
Inventors: 戴纶·M·阿布雷罕姆; 托德·A·巴尼斯; 保罗·F·包舍; 托马斯·P·保盖茨; 特蕾西·A·高斯林; 马克·G·格里夫; 布伦特·A·朗顿; 罗伯特·C·阿里森; 迈克尔·S·尼克
Original assignee: Sequel Tech Corp
Current assignee: Sequel Tech Corp
Priority date: 1997-03-11
Filing date: 1998-03-11
Publication date: 2000-05-17
Also published as: USRE40187E1; JP2001514832A; CA2283303A1; WO1998040987A1; AU736382B2; AU6457798A; US5983270A; EP0966705A1

Abstract

In accordance with the present invention, a network management program (80) is provided that manages the communication of data packets between an intranetwork (44) and an internetwork (40). An operator of a computer connected to the intranetwork (44) inputs vital information regarding users of computers connected to the intranetwork (44), mapping information regarding computers connected to the intranetwork (44), and policies to be applied against those users and computers, using a graphical user interface (GUI 70). The GUI (70) communicates the vital user information, mapping information and policies to a database (72) which stores and organizes the vital user information, mapping information and policies. A filter executive (76) optimizes the policies stored in the database (72) into a set of rules for each user and passes the rules to a filter engine (78). The filter engine (78) filters all outbound data packets transmitted from the intranetwork (44) to the internetwork (40) and verifies all inbound data packets from the internetwork (40) according to the rules provided by the filter executive (76). The filter executive (76) also communicates the mapping information stored in the database (72) to a naming service manager (74) which further updates the mapping information and returns the updated mapping information to the filter executive (76). Consequently, the filter executive (76) filters the data packets according to the most recent mapping information.

Description

The method and apparatus of managing internet and intranet activity

The application requires the preference of the U.S. Provisional Application No.60/____ that submitted on March 11st, 1997, and the subject content of provisional application No.60/____ is hereby incorporated by.

Relate generally to management of the present invention is particularly related to monitoring, registration and is blocked the packet that is transmitted by intranet or internet by the communication of the packet of intranet or internet transmission.

Computer network is that everybody knows in computer communication field, and by definition, network is the set by communication equipment and link-attached computer and relevant device.It can be fixed that network connects, as the process cable, or provisional, connect as forming by phone or other communication link.Aspect scale, network is diversified, from the Local Area Network be made up of several computers and relevant device to some computers that geography is disperseed with the wide area network (WAN) that gets up of lan interconnection.Internet itself is again to rely on to be convenient to the transfer of data of diverse network and the gateway or the router of conversion, and the identical computer network with two class complexity inequality is coupled together.The well-known abbreviation of internet work (internet) is the internet.So far as is known, refer to the term " internet " of capitalization beginning and use the network that TCP (TCP/IP) communicates with one another and the set of router.

The representative part 40 of internet is presented at (current techniques) among Fig. 1, and wherein a large amount of Local Area Network 44 couple together through router 42, and router four 2 generally is special-purpose purpose computer, as the interface of a LAN to another LAN.Communication line in LAN can be twisted-pair feeder or coaxial cable, and the communication line between the network can be used the 56Kbps analog of telephone line, 1Mbps numeral T-1 line and/or 45Mbps T-3 line.Know that the internet comprises the network and the router of a large amount of such interconnection, and just a small amount of in Fig. 1, the representational part of internet.

Recently, the internet is because it can connect the computer that is positioned on the All Around The World and develop rapidly.Simultaneously, increase greatly at available information quantity of service on the internet.For example, this service comprises Email, the Usenet set of newsgroup (special-purpose special topic), Gopher (information retrieval system of being created by University of Minnesota) and billboard and World Wid Web (WWW).The information that is provided by service is through Internet transmission, and used information protocol designs for the needs of concrete service specially, and transmits information with the TCP/IP top layer.As the hypertext document that provides by WWW, with known to HTTP(Hypertext Transport Protocol) transmit.Email transmits with simple Mail Transfer protocol (SMTP) POP2 (Post Office Protocol-Version 2) or POP3 (Post Office Protocol-Version 3).Though Chen Shu HTTP here, SMTP, POP2 and POP3 will understand concerning this area has the people of general technology, these agreements just are used for a representative example in numerous agreements of the information of transmitting through the internet, and new agreement and service all can join in the internet every day.

In a word, the internet is an information pipeline, serves any less LAN or WAN that belongs to it.On the internet, increasing and serving of information forms the method and apparatus that needs information communication and service between managing internet and its member Intranet.Manage the transmission that this method for communicating and device should be able to monitor and write down packet between Intranet and the internet.In addition, this method and apparatus should be able to be provided with the rule refusal or allow some internet resource of visit for the computer user who links on the Intranet, as refusal or certain WWW website of permission visit, refusal or permission reach and refuse or allow to transfer data to the destination according to the protocol type of the transmission data of using on Intranet from having the retrieving files on the internet of certain file extent.As following narrate, it satisfies these criterions to the invention provides a method and apparatus, and solves other deficiency of the prior art.

According to the present invention, the communication that provides network supervisor to be used for packet between managing I ntranet and the internet.Intranet comprises a large amount of computer that connects through communication media.The internet comprises a large amount of computers that connected by some other communication media.Link the operator of the computer on the Intranet, use the relevant core information of the computer user on the Intranet of linking of graphic user interface input, the relevant map information of linking the computer on the Intranet, and the strategy that in face of these users and computer, adopts.GUI transmits the user profile of core, and map information and strategy are to database, database stores and tissue core user profile, map information and strategy.Filter becomes rule set, and rule is passed to filter engine for each user optimization is stored in strategy in the database, and filter engine filters all departure packets that are sent to the internet from Intranet.And according to filtering rule test that executive program provides all immigration packets from the internet.

According to other aspects of the invention, the filtration executive program also transmits the map information that stores in the database and gives the name Service hypervisor, and the name Service hypervisor is also upgraded map information and returned the map information of renewal to the filtration executive program.Simultaneously, filter executive program according to up-to-date map information filtering data bag.

Above-mentioned situation of the present invention and many attendant advantages, when in conjunction with the accompanying drawings, with reference to following detailed description, the easier appreciation that will become can become and better understand simultaneously.Wherein:

Fig. 1 (prior art) represents the calcspar of part internet;

Fig. 2 is that a large amount of client computers and server are interconnected to form Local Area Network as the visualization explanation of typically linking on the internet shown in Figure 1.

Fig. 3 A is the theory diagram of several parts of the webserver shown in Figure 2, and they are used for the storage network access program according to the present invention, managing I ntranet and internet work;

Fig. 3 B is the theory diagram of several parts of client computer shown in Figure 2, and they are used for storing and realizing some part of network supervisor;

Fig. 3 C is the several sections theory diagram of server shown in Figure 2, and they are used for storing and carrying out some part of access to netwoks program;

Fig. 4 describes the calcspar that a lot of assemblies distribute, and comprises client computer shown in Figure 2 and the network supervisor in the server.

Fig. 5 is a flow chart, describes the logic of graphic user interface (GUI) the assembly use of network supervisor.

Fig. 6 is the main window that is produced by GUI, and the operator imports the relevant core information of each computer user on the LAN shown in Figure 2 of linking therein; Map information about each such user and the computer that each is such; And the policy information that in face of each such user, provides.

Fig. 7 A is a flow chart to 7C, describes the core of passing through main window input shown in Figure 6 of the processing of being used by GUI, the logic of mapping and policy information.

Fig. 8 A is various other windows that produced by GUI to 8Q, is used for importing core, mapping and policy information;

Fig. 9 A is a calcspar to 9D, has described big scale, and these tables are by the storage of the database component of network supervisor, and the core of organizing GUI to provide is provided, mapping and policy information.

Figure 10 A is a flow chart to 10B, has described the logic that is used for upgrading the protocol strategy table that is stored in the database;

Figure 11 A and 11B are flow charts, have described to be used for the logic of the Chinese of new database more part type of policy table;

Figure 12 is a flow chart, has described to be used for more that the station is (site) Policy Table's logic in the new database;

Figure 13 A and 13B are flow charts, have described to be used for the logic of rating form in the new database more;

Figure 14 is a flow chart, has described the logic that is used for setting up subscriber policy in the database;

Figure 15 A is a flow chart to 15C, has described with the filtration executive program components of network supervisor and has handled and optimize the core that is stored in the database, the logic of mapping and policy information;

Figure 16 is a flow chart, has described the logic of the filter engine assembly that is used to filter executive program initialization network supervisor;

Figure 17 is a calcspar, has described based on the policy information that stores in the database, by a lot of rule sets of the filtration executive program of network supervisor definition;

Figure 18 is a flow chart, has described to be used for the logic of definition rule set, and rule set comprises linking the collaborative rule of each computer user on the LAN shown in Figure 2, global network protocol rule, the logic of user policy and clocking discipline.

Figure 19 is a flow chart, has described the logic of the website rule set that is used for defining each computer user who links on the LAN shown in Figure 2.

Figure 20 is a flow chart, has described the logic of the clocking discipline collection that is used for defining each user who links on the LAN shown in Figure 2;

Figure 21 is a flow chart, has described the logic of the Internet Protocol (IP) that processing that the filter engine by network supervisor is used in combination communicates by letter between internet shown in Figure 1 and LAN shown in Figure 2;

Figure 22 is a flow chart, has described according to the rule of filtering the executive program definition, filters the logic of the IP bag of communicating by letter between the internet that is presented at Fig. 1 and the LAN shown in Figure 2 with filter engine;

Figure 23 is a flow chart, has described to be used for writing down the IP that communicates by letter between internet shown in Figure 1 and the LAN shown in Figure 2 and to wrap logic in the record sheet;

Figure 24 is a flow chart, has described the logic that is used for analyzing the record sheet that forms by Figure 23;

Figure 25 A and 25B are calcspars, have described by database stores, are used for a large amount of forms of tissue registration's information.

Figure 26 is a flow chart, has described according to being presented at the internet among Fig. 1 and being presented at amount of communication data between the LAN of Fig. 2, calculates the logic that quota breaks rules.

Figure 27 is a flow chart, has described to be used for notifying the logic of linking the last computer user of LAN shown in Figure 2 who is taken action by filter engine;

Figure 28 A is a block diagram, has described according to the main frame mapping table of safeguarding that name Service information is used of being gone by the name Service manager of the present invention;

Figure 28 B is an affairs container block diagram, stores map information in the container, and it is acted on behalf of in domain name service, communication between domain name service manager and domain name service are used.

Figure 29 A and 29B are flow charts, have described according to the present invention and have been gone to collect by the name Service manager, safeguard and the used logic of service map information;

Figure 30 is a flow chart, has described by the name Service agency and has gone to collect the relevant used logic of map information of linking the computer on the LAN shown in Figure 2.

Figure 31 is a flow chart, goes to handle expression one user by first special name Service agency when having described initialization and has logined or withdrawed from the used logic of map information on the computer of linking on the LAN shown in Figure 2;

Figure 32 is a flow chart, has described after the initialization to go to handle expression one user by the first special agency and logined or withdrawed from map information used logic on the computer of linking on the LAN shown in Figure 2;

Figure 33 is a flow chart, goes to handle expression by the second special name Service agency when having described initialization and links the used logic of map information that the IP address of the computer on the LAN shown in Figure 2 has changed;

Figure 34 A and 34B are flow charts, have described to go to handle expression by the second special agency after the initialization and link the map information used logic that the IP address of the computer on the LAN shown in Figure 2 has changed;

Figure 35 is a flow chart, has described to be used with the name Service manager by name Service and has gone the logic that writes down;

Figure 36 is a flow chart, has described by name Service and has used the used logic of going to handle by the supply of name Service manager of map information;

Figure 37 is a flow chart, has described to go to handle the IP address that expression links the computer on the LAN shown in Figure 2 by the name Service manager and become the used logic of out-of-date map information;

Figure 38 is a flow chart, described by the name Service manager go to handle the expression one new IP address composed to the used logic of the map information of linking the computer on the LAN shown in Figure 2;

Figure 39 is a flow chart, has described by the name Service manager and has gone to handle the used logic of map information that the expression network user has withdrawed from a computer of linking on the LAN shown in Figure 2; And

Figure 40 A and 40B are flow charts, described by the name Service manager go to handle the expression one network user logined the used logic of map information of linking the computer on the LAN shown in Figure 2.

As foregoing and shown in Figure 1, internet 40 is the Local Area Network 44 that communicate with one another with transmission control protocol/IP(Internet Protocol) (TCP/IP), the set of wide area network (WAN) 46 and router four 2.Fig. 2 more detailed description LAN44, as the sort of internet 40 of typically linking.In the current implementing example of describing among Fig. 2 of the present invention, LAN44 is the bus network of the various client-server of interconnection.LAN44 shown in Figure 2 can be formed by various couplants, as glass or plastic optical fibre cable, coaxial cable, twisted-pair feeder, flat cable etc.In addition, the people who has general technical ability in the art will recognize that couplant also comprises RF-coupled medium or other invisible couplant.Consider the feasibility of pre-wiring in current commercialization environment, in Xu Shu the current implementing example of the present invention, use the twisted-pair feeder copper cable to form LAN44 here.

As shown in Figure 2, the computer that interconnects by LAN44 comprises a large amount of client computers 52, and some computer in these computers has been equipped some assembly of the present invention, and some computer is not then adorned.Those client computer that at least one gui component of the present invention is housed are called " administration client " 54.In the current implementing example of the present invention of this narration, the operator of administration client is organized into three management level, i.e. system manager, intermediate supervision person and keeper.System management can be the user on the LAN44, with regard to the service and the special strategy of information setting of what type on each user-accessible internet 40.On the other hand, intermediate supervision person and keeper have the ability of more restrictions, and this will describe in detail below.

LAN44 also comprises a domain controller server 60, and its tracking those users at any given time signs in on those client computers 52 and those supervisory computers 54.For example a user signs in on the client computer 52, and the user is apprised of " session (Session) " that should start with LAN44.Domain controller server 60 is caught the record of this session and storage user's logical name and computer name or " host name (the host name) " of the computer logined by the user.

LAN44 isolates with internet 40 by SOCKS server 48, and SOCKS server passes through the ICP/IP protocol of its usefulness, i.e. the flow process of all Internet Protocols or " IP " packet tracing and all packets of control.Fire compartment wall 48 protection LAN44 prevent the IP bag business of the immigration of malice, and do not allow the user of LAN44 dynamically to select, and the information of the Internet user on LAN44 and service can be visited selection.

40 is professional and from all departure IP bag service interworking transfer data packets of the webserver 50 of LAN44 through being equipped with network operating system through all immigration IP bags of fire compartment wall 48 from the internet.In a current implementing example of the present invention, the network operating system that is installed on the webserver 50 is the Windows NT of Microsoft.To recognize the people of general technical ability and can use various other proper operation systems and in this area, have, comprise network operating system based on UNIX.

The invention provides a kind of method and apparatus, the permission webserver 50 removes to manage the IP packet communication between LAN44 and the internet 40.Use and management computer 54, the system manager, the service on the internet 40 that intermediate supervision person or keeper can may visit for the relevant Any user of linking the computer user on the LAN44 and these types of information are provided with special rule.Therefore, if specific service or the information type of rule refusal one user capture, any IP bag of being asked to visit the sort of service or the sort of information type by that user will not allow by the webserver 50 destinations of arrival on internet or LAN44.Related network server, supervisory computer and domain controller server component

Fig. 3 A has described several key components of the webserver 50.In this area, have the people of general technical ability, will be understood that the webserver 50 comprises far more than the assembly shown in Fig. 3 A, and, there is no need embodiment for the open actual use of the present invention, all general conventional assemblies are all shown.As shown in Figure 3A, the webserver 50 is linked on the LAN44 through network interface 66.In this area, have and to understand network interface 66 the people of general technical ability and comprise the webserver 50 is linked required circuit on LAN44 and the SOCKS server 48, and be configured to the bus network configuration of the LAN44 that uses with ICP/IP protocol and the couplant of particular type.

The webserver 50 also comprises a processing unit 62, one display 64 and big storage capacity device 68, big storage capacity device 68 generally includes random access memory (RAM) (RAM), read-only memory (ROM) and permanent big storage capacity device device, as hard disk drive, tape drive, CD drive, floppy disk or their combination.Big storage capacity device 68 storages meet the present invention and are used for managing I P bag professional required program code and data.More precisely, big storage capacity device 68 has stored network supervisor 80, and this program forms according to the present invention for the IP bag Business Stream of management by the webserver 50.Comprise a graphic user interface 70, one rule and database of records 72 as the network supervisor 80 that is described further below, actuator 76 and filter engine 78 are filtered in name Service management 74.

Graphic user interface (GUI) the 70th, a kind of display format, the operator who allows administration client 54 is by illustration on the display and the menu list item that shows on display with computer entry device such as mouse or keyboard point, come select command, start-up routine, and the option that provides by network supervisor 80 is provided.As what will describe in detail below, the option and the order that are offered the operator of administration client by GUI70 depend on that network supervisor 80 offers this operator's supervisory level, and promptly whether the operator is the system manager, is intermediate supervision person or keeper.Use GUI70, the service that the operator may visit about user on internet 40 for the user of LAN44 and the type of information provide information and Provisioning Policy.GUI70 sends the strategy of the information that provided for each user by the operator and setting to regular and database of record 72.

Rule and database of record 72 are formed the relational database that is stored in the big storage capacity device 68 by the table shown in Fig. 9 A-9D and Figure 25 A and the 25B, are used for by network supervisor 80 management professional through the IP bag of the webserver 50.Here in the current implementing example of the present invention of Miao Shuing, database 72 is the relational databases with SQL (SQL) management and control.SQL is used for inquiring about by the present invention, retrieval, and classification is upgraded and management database 72.Yet the people who this area is had general technical ability will recognize that, the database of any kind of such as file, order, object-orienteds etc. can both be used for realizing the present invention.In addition, the access language except that SQL also can be used for management and control database 72, and these do not depart from the scope of the present invention.

Will describe in detail below as relevant with Fig. 9 A-9D, the table of database 72 has stored each user's the information of relevant LAN44 and the strategy that each user is provided with through GUI70.On the other hand, the table that in Figure 25 A and 25B, shows, storage is wrapped about each IP that is received and write down by the webserver 50 according to the present invention.Though, database 72 is stored in the big storage capacity device 68 of the webserver 50 of current implementing example of the present invention described here, will recognize that to the people who has general skill in this area database 72 can be stored in any other memory of linking suitable computer on the LAN44 in other embodiments.

Filter the assembly that executive program 76 provides the network supervisor 80 of communication and strategy between process database 72 and the filter engine 78, in fact filter engine filters the IP bag by the webserver 50.Filter executive program 76 and load the strategy of collecting by database 72, and optimize them, be converted into each user's rule set, and provide rule of conduct for filter engine 78 each user.

Filter engine 78, be used to provide rule with filter executive program 76 to each, the content of all IPs bag of filtration by the webserver 50, IP bag comprises and judges whether that in fact the IP bag is followed these regular information necessary, if the IP bag is not followed, the IP bag can be abandoned by filter engine 78, thereby prevents to arrive its intended destination.In addition, filter engine 78 can write down the bag that is filtered, and notifies the user to take action.

At last, the network supervisor 80 of storage comprises name Service manager 74 in the big storage capacity device 68 of the webserver 50, its collect with safeguard be used for discerning with related LAN44 user be linked to the map information that LAN44 goes up the current client computer of just being used by these users.More particularly, dynamically related or " mapping " user's the login name of name Service manager 74 and Internet Protocol (IP) address of domain name and computer name (or " host name ") and current computer are that the front is by the used IP address of user.The people that this area is had a general technology will recognize that the IP address is made up of four parts numeral, and it identifies a computer of linking on the internet 40 uniquely.As described in detail below, name Service manager 74 is collected map information from other Agency who filters executive program 76 and be positioned on the LAN44, it is login name, domain name, computer name and IP address, and related these information, become the allocation map of each LAN44 user's current computer to the user.Then, name Service manager 74 provides and upgrades map information to filtering executive program 76, can be sent to filter engine 78 in company with user policy upgrading map information so that filter executive program 76.

Therefore, when the user logined and withdraws from LAN44, filtering engine 78 correspondingly begins or stops was the IP bag of user filtering by the webserver 50.

Since the assembly of the webserver 80 and the network supervisor 80 realized by the webserver 50 has been done more detailed narration, the associated component of administration client 54 will be discussed.Fig. 3 B has described several key components of supervisory computer 54, and they are used to define the rule set that will be used for LAN44 user, so that manage the activity of LAN according to the present invention.The people who has general technology in the art will appreciate that administration client 54 comprises far more than the assembly shown in Fig. 3 B.Yet, there is no need for the abundant openly embodiment of the actual use of the present invention, and all general conventional assemblies shown.The network interface 56 of the network interface 66 of administration client 54 by being similar to the webserver 50 is linked on the LAN44.Each supervisory computer 54 also comprises a processing unit 55 ,-display 58 and memory 57.Memory 57 comprises the dish of a routine, and read-only memory reaches the random access memory (RAM) for the GUI70 of storage network operating system 82 and network supervisor 80.Here in Xu Shu the current implementing example of the present invention, supervisory computer 54 is not equipped any network supervisor 80 remaining assemblies that get off.For the operator who allows supervisory computer 54 imports relevant user and is the information of user's Provisioning Policy, only need GUI70.Then, information and strategy pass to the rule and the database of record that are positioned at the webserver 50 by GUI70 and are for further processing.

As for, the client computer of linking LAN44 52 that stays, these client computers 52 are not adorned any network supervisor 80.Therefore, do not need the detailed description of the electronic unit of client computer 52 to adapt to disclosed exemplary embodiments of the present invention.And, according to the present invention, any IP bag that transmits by

client computer

52, and 40 services of making by the user of client computer 52 and/or any request of information after this from the internet, when they pass through the webserver 50, still will be by the filtration of filter engine 78.

Fig. 3 C has described several critical components of domain controller server 60.As pointing out above, those computers are logined in domain controller server 60 tracking those users at any given time.For example, when the user signs in to computer, and computer is when beginning to communicate by letter with LAN44 energetically, and computer is apprised of and is begun same LAN44 " session ".Domain controller server 60 is caught the record of this session, and stores user login name by the user, and the IP address of the computer of computer name and login.

Domain controller server 60 comprises a network interface 67, the network interface 65 of similar supervisory computer 54, and it links LAN44 to domain controller server 60.In addition, domain controller server 60 comprises a processing unit 61, display 63 and be similar in the webserver 50 the big storage capacity device of setting up 69.And, 69 storages of big storage capacity device or the domain controller agency 75 or the master agent 77 of domain controller server 60, it can be used for the name Service manager 74 of access to netwoks program 80 together, for each user of LAN44 at any given time maintenance update and user mapping information accurately.As what below will more describe in detail, domain controller agency 75 collects dynamic user's login and withdraws from information.On the other hand, master agent 77 is collected current IP address of linking the computer on the LAN44.Domain controller agency 75 and master agent 77 periodically send the information of collecting to name Service manager 74.Though the two all is presented at domain controller agency 75 and master agent 77 among Fig. 3 C, has only a quilt normally to use, this point will be intelligible.For example, if require dynamic user to the mapping of computer and computer to the mapping of IP address, use domain controller agency 75, yet if the user to the tax of computer to being that maintenance is static or constant; Just also require the update calculation machine to give, just use master agent 77 to the tax of IP address.Here, although described master agent 77 is positioned on the domain controller server 60, will recognize that for the people who has general technology in the art master agent can be on any suitable computer of linking on the LAN44.Network supervisor

Fig. 4 is the calcspar that is distributed in the components of the various computers linked on the LAN44 and the network supervisor 80 on the server, the GUI70 of each supervisory computer 54 and the webserver 50 transmits information and the strategy by operator's input of these computers, through LAN44 to rule that is positioned at the webserver 50 and database of record 72.These strategies then, along with each user's map information, transmit subscriber policy separately to filtering executive program 76 by rule and database of record 72 storages and processing.Filter executive program 76 and optimize these strategies, change into each user's rule set, and rule and user mapping information are sent to filter engine 78.Filter engine 78 filters all departure IP bags that send to internet 40 from LAN44, and according to the regular verification that offers filter engine 76 by filter executive program 76 all immigration IP bags from internet 40.As occurring here, name Service manager 74 offers the filter executive program to the map information that upgrades, then, the filter executive program makes the filter engine sign in to LAN44 and withdraw from the filtering that LAN44 dynamically begins and stop the IP bag by the user by filter engine 78.

Since general narration has been done in the whole distribution of the component parts of network supervisor 80, the operation of network supervisor 80 will be described in detail.Information search and strategy are provided with

Fig. 5 is a flow chart, and the employed logic by the GUI70 of network supervisor 80 is described, determines that according to operator's system management rank those network options will present to the operator of supervisory computer 54.As described below, the network management option is presented on the main window 84 that is produced by GUI on the supervisory computer display.As shown in Figure 6, main window 84 is provided with option to some information of all identifying users of relevant LAN44 and many strategies and offers the operator, to define what information and service will be available to these users.In this respect, main window 84 comprises the subscriber's meter 88 that identifies all LAN44 users.For example, if the present invention is used in the cooperative surroundings, LAN44 will comprise that the private in-house network of company and each user of LAN44 will be the employees of company.Therefore, subscriber's meter 88 will identify each employee of company.According to the present invention, the user can be assigned to a management access level, as system management, intermediate supervision or keeper, if " triple bond " icon 89 appears at by the user name in the subscriber's meter 88 of main window 84, this user is the system manager, correspondingly, " two keys " icon 87 expression intermediate supervision persons, and " key " icon 85 expression keepers.

Can add with the user respectively, editor or deletion toolbar button 90a, 90b and 90c add in subscriber's meter, revise or the deletion user.For example, a user by selecting user adds toolbar button 90a can be added to subscriber's meter 88, and defines its management access rank, and these will describe in detail below.The people who has general technology in this area also will be understood user's interpolation, and editor and deletion option also can be selected from " drop-down " custom menu 90d.

According to the others that also have of the present invention, all LAN44 users can organize by the group of layered mode, and in this respect, main window 84 comprises component layers 86, and root layer wherein is the group that is included in all users of sign in the subscriber's meter 88.As any layering, all users that the root group comprises can be divided into each seed group or " son ", and each " son " group can further be divided into son group, i.e. " grandson " or the like.Have, adopt cooperative surroundings like an elephant the example of describing, the root group of layering is " coordinated groups ".Company's group is according to the different departments such as the finance department of company, information system department, and market department and sales department should be divided into the son group again, and as shown in Figure 6, correspondingly, the employee of each these department comprises and belongs to this user of a little group.

As below describing in detail, has the system manager, the operator of the administration client 54 of intermediate supervision person or keeper's access level, can add with group, editor and deletion toolbar button 92a, 92b and 92c or group drop-down menu 92d add the child group in modification and deletion root group or " coordinated groups ", in case the son group is defined, user by selecting one user is added in the son group as the member to group toolbar button 91.

In case the user of LAN44 is according to supervisory computer 54 operators' supervisory level, be the system manager, intermediate supervision person or keeper have been defined and have added in the group, the operator can use GUI70 that some strategy is set, and faces these groups widely or individually utilize these strategies to remove to control user or group access internet resource in the face of these users.In the embodiment of the invention of this narration, the operator can be by the main window application protocol strategy that is produced by GUI70, site policy, and the file type strategy, quota strategy and time scheduling strategy, these strategies are explanation below more specifically.Protocol strategy

Internet resource, as the WWW service, E-mail service, Usenet reads in the service with Telnet, usually with agreement and the port numbers known, through Internet traffic.For example Email uses SMTP through port numbers 25 usually through the internet, and POP2 sends through port numbers 110 through port numbers 106 or POP3.Utilize GUI70, the system manager, intermediate supervision person or keeper are sent to the agreement that is used for transmitting them by refusal or permission IP bag, can set up a strategy, remove refusal or allow these resources of visit.This " protocol strategy " then can be widely in the face of organizing (like this, particularly in the face of belonging to each user of group) and being employed in the face of specific user respectively.Site policy

WWW is the integrated widely of the hypertext document that links to each other of the inside write with HTML(Hypertext Markup Language), the HTML electronic method, be stored in " the Web website " that spread all over internet 40,-Web station is a server of linking on the internet 40, it has big storage capacity device facility so that store hypertext document, and runs administrative software is so that handle the request of these documents.Utilize GUI70, the system manager, intermediate supervision person or keeper, unique IP address by discerning it or its complete qualified domain name can be set up a site policy, go to refuse or allow this request from the user of LAN44.As what point out above, about protocol strategy, site policy also can extensively be employed in the face of group or in the face of specific user.The file type strategy

Information detects from internet resource with document form recited above usually.As carrying out (.exe) file or filing (.zip) file.Use GUI70, the system manager, intermediate supervision person or keeper can be provided with the file type strategy, want unaccepted file type by discerning file extension such as .exe or .zip, prevent that the user from downloading some file type from the internet, as noted above about agreement and site policy, the file type strategy also can be widely in the face of group or be employed in the face of the specific user respectively.The quota strategy

In any given one day, the user of each LAN44 will send and receive the data that comprise in millions of byte IP bags, can set quota and point out that the data of how many Mbytes can be sent and receive by any user in cycle preset time.In the of the present invention existing embodiment of this explanation, this time cycle is 24 hours.This quota strategy guarantees that LAN44 is operated in optimum efficiency, and the user can not break rules and can receive online subscriber policy, as point out above about agreement, website and file strategy, quota strategy can be widely in the face of group or be employed in the face of the specific user respectively.The time scheduling strategy

At last, use GUI70 system operator (not being intermediate supervision person or keeper) energy scheduling strategy settling time, refusing user's is in the intraday special time, and visit is through the information of some protocol communication.For example, the system manager can only allow the sub-mail of energising during 8 o'clock to the 10 o'clock morning, and visit email protocol (as SMIP, POP2, and POP3) was blocked in all using At All Other Times at one day.Opposite with agreement, website, file type and quota strategy, the time scheduling strategy can only be applied to root or coordinated groups, rather than respectively in the face of the user or in the face of the child group of coordinated groups.And because the time scheduling strategy is applied to coordinated groups, the time scheduling strategy is by whole son groups of coordinated groups and belong to this coordinated groups and whole user of its child group inherits.

Get back to Fig. 5, show the logic that main window 84 utilizes by GUI70, from the main window system manager, intermediate supervision person and keeper can be in piece 200 input information and Provisioning Policy, and go to piece 202, current operator logins supervisory computer 54 in piece 202, whether the password of this logic determines user input is effective in piece 204, if invalid, logic turns back to piece 202, and the user logins again.And if the user imports legal password, logic goes to piece 206, seek this user's management access level by Query Database 72, be the system manager, intermediate supervision person or keeper, if the current operator of this logic determines is the system manager in decision block 208, main window 84 is displayed on operator's the display 58 of supervisory computer 54, the option that has all-network hypervisor 80 available in piece 210 on the main window.Yet if the user is not the system manager, this logic enters decision block 212 from piece 208, judge whether that there the user is intermediate supervision person, if main window 84 will be to the just collaborative default option of certain option, agreement interpolation/editor/deletion option and time scheduling option block and show.

If the operator is neither the system manager, neither intermediate supervision person, this logic enters decision block 215, judges whether that the operator is the keeper.If main window 84 will be with collaborative default option, the time scheduling option, user interpolation/editor/deletion option, computer interpolation/editor/deletion option and agreement option are blocked demonstration, and logic stops 218 then.

If logining the operator of supervisory computer 54 is not the system manager, intermediate supervision person or keeper, the operator does not allow with GUI70 Provisioning Policy or input information so, and GUI70 withdraws from piece 217.

Fig. 7 A, 7B and 7C have described the logic that is realized by GUI70, handle by the selected option of the operator of supervisory computer 54 from main window 84, and be appreciated that, the information that each option of selecting from main window 84 provides rule and logical base 72 usefulness operators is upgraded, the table that comprises database 72 is illustrated at Fig. 9 A and 9B, and will be by reference during Fig. 7 A-7C discusses.

This logic is in piece 220 beginning in Fig. 7 A, and enters decision block 222 and judge whether that the operator selects collaborative default option from file pull down menu 83 in main window 84.As noted above, collaborative default option only can be used the system manager in main window 84, to recognize intermediate keeper and keeper the people who has general technology in this area, collaborative default option will " gray appearance " occur in main window 84, any attempt selects this option to be ignored by GUI70 by these operators.When the system manager when main window 84 is selected collaborative default option, the collaborative default window 102 shown in Fig. 8 A is created on the display 58 of the supervisory computer 54 that the system manager using by GUI70.From collaborative default window 102, the system manager can be provided with following default option and uses this coordinated groups by selecting or remove corresponding tick.Affairs are loaded at interval: the system manager can wrap to rule and registered database 72 with the IP which kind of frequency transmits registration by selective filter engine 78 from transaction time drop-down menu 180, when the system manager loaded the interval input value for affairs, this value was stored in the affairs of the 72 collaborative default tables 110 of database shown in Fig. 9 A and loads in the interval field.

Allow procotol:, use the IP bag of predefine procotol table communication unconditionally to allow by filter engine 78 if the system manager selects to allow procotol tick frame in collaborative default window 102.Opposite with application protocol, procotol is to link computer and those used agreements of server of LAN44 for intranet communication.Procotol normally all is allowed to by filter engine 78, this will be understandable with the space of saving database 72, if the system manager selects to allow procotol tick frame, collaborative default table 110 blocking network service mark is set up, otherwise the blocking network service mark is eliminated.

Allow not define agreement: if the system manager selects to allow not define protocol core to the mark frame in collaborative default window 102, uses any as yet not by hypervisor 80 pre-defined and for this reason the IP that is stored in any application protocol communication in the database 72 of no record still wrap and be allowed to by filter engine 78.If select to allow not define protocol core, in collaborative default table 110, be provided with, otherwise mark is eliminated by mark to the mark frame.

Allow registration: when select to allow registration tick frame in collaborative default window 102, engine 78 all IP bags of allowing to lead to their predeterminated target also are filtered engine 78 and register after filtration.Register the tick frame when the system manager selects permission, the Log-on-off mark in the collaborative default table 110 of database 72 is set up, otherwise the Log-on-off mark is eliminated.

The enforcement of analog rule: implement tick when the system manager selects analog rule, all IP bags by filter engine 78 are registered, as agreement recited above, website, file type and quota strategy are implemented, though in fact, they are not implemented, when analog rule enforcement tick was selected, Log-no-block was marked in the default table 10 and is set up, otherwise the Log-no-block mark is eliminated.

Send fault message: if the system manager selects to send fault message tick, when tactful or quota are provided with that user is broken rules, fault message will be sent to the user of LAN44, fault message tick frame is selected when sending, and notice (notify) mark is set in the default table 110 of computer.Otherwise notification indicia is eliminated.

Get back to Fig. 7 A, the system manager has selected or has removed all collaborative default tick frames of wanting in the collaborative default window 102, and the collaborative default table 110 in database 72 correspondingly is updated at piece 226, logic enters piece 228, allow to add piece 228 system managers, the procotol of editor or deletion procotol table, these are not to be filtered engine 78 to block by default value.

In collaborative default window 102, the system manager can add by selecting procotol button 182, editor or deletion procotol.If select, GUI70 will produce the maintaining network protocol window 101 shown in Fig. 8 B on the display 58 of system manager's supervisory computer 54.The system manager selects the Add button to add procotol to the procotol table shown in the maintaining network protocol window.

GUI70 produces the interpolation procotol window 113 shown in Fig. 8 C then.The system manager is the agreement name adding procotol window 113 input information requested, the port numbers of related protocol and known agreement another name, procotol is added to the procotol table, and selects RT register traffic tick frame, expression will be registered by the IP bag that procotol transmits.At last, the operator selects the Apply button.At last, a record that for this reason newly adds agreement is added to shown in Fig. 9 A in the global network protocol tables 112 in the database 72.

The record that is added to global network protocol tables 112 comprises the overall protocol IP of identification record oneself, the overall agreement name of procotol, known protocol port number.In addition, registration mark is set up or removes, the IP bag that whether uses procotol to send with expression will be registered, and access flag is set up or removes, and the IP bag whether expression uses procotol to send allows by filter engine 78, then, notification indicia is set up or removes, and when filtering the IP that uses procotol to send and wrap, the user obtains action notice by filter engine 78 in expression, be appreciated that registration mark is set up if the system manager selects RT register traffic to check indicia framing.Otherwise it is eliminated.In addition, access flag is configured to the identical value of blocking network service mark, and the notification indicia identical value of notification indicia in the collaborative default table 110 that is configured to coexist.Last rule type sign indicating number is set up, and the rule that expression will define according to strategy is the procotol rule.

Get back to Fig. 8 B, if the system manager wishes to edit the procotol of listing in maintaining network protocol window, the system manager makes desired agreement outstanding, and selection Edit button, add procotol window 113 and produce by GUI70 once more, and the system manager can import lastest imformation for procotol.Then, the respective record of procotol is upgraded by database 72 in global network protocol tables 112.

If the system manager wishes to delete procotol from the procotol table shown in the maintaining network protocol window, the system manager makes desired procotol outstanding, and selects the Delele button.Then, database 72 is deleted the record corresponding to procotol from global network protocol tables 112.Get back to Fig. 7 A, in case global network protocol tables 112 is updated at piece 230, database 72 is provided with the global network agreement at piece 232 and sends mark.

Get back to decision block 222, if collaborative default option is not selected, operator to supervisory computer unavailable (because the operator is intermediate supervision person or keeper), or selected collaborative default selection, logic will be gone to decision block 234, judge whether that time scheduling toolbar button 94 is selected, will understand to the people who has general technology in this area that the time scheduling tool bar is presented on the main window 84 intermediate keeper or keeper will be grey output.If time scheduling toolbar button 94 is selected by the system manager, the time scheduling window 104 shown in Fig. 8 D is created in by GUI70 on system manager's the display 58 of supervisory computer 54.Be scheduling time, when LAN44 goes up all users when being rejected visit through the information of some application protocol communication, the system manager selects desired agreement from drop-down agreement menu 106, and during highlighting time blocking, in timetable 107, agreement will be refused.If for example the system manager determines that the user is that business purpose does not need accessing WWW, the system manager can allow to visit the information through http communication after the business hours, as long as select HTTP, and in timetable 107, highlight at 9 in the morning to point in afternoons 5 from drop-down agreement menu 106.When the system manager uses the Close button, closed window 104 o'clock, information sends to database 72 through GUI70.

Get back to piece 236 among Fig. 7 A, in case the system manager selects the agreement of wanting and time cycle, desired during this period agreement will be rejected, be added in the time scheduling table 114 of database 72 preservations shown in Fig. 9 c at piece 238 1 records, particularly, record comprises a restriction id field, be used for identification record itself, the group ID, be used for being identified at some recording of information, Start Date, Close Date, time started, the concluding time that comprise in user's group table 121 about coordinated groups, their difference identity protocol restriction beginnings and the date and time that finishes.The time scheduling record comprises agreement ID in addition, and it is identified at and comprises unaccepted some recording of information of relevant agreement in the protocol tables 116.The time scheduling of the time restriction of redetermination is recorded in after piece 238 is added to time scheduling table 114, and time scheduling transmits and is identified at piece 240 and is set up, and dispatch list 114 was prepared to be sent to and filtered executive program 76 instruction time this.

Get back to decision block 234, if the time scheduling option does not also have selected in Fig. 7 A, or selected, and have the system manager to import the time restriction of wanting to obtain logic and go to decision block 242 from decision block 234, judge whether that here the user selects respectively to add, editor, or deletion toolbar button 90a, 90b or 90c.As what point out above, have only system manager and intermediate supervision person to add to subscriber's meter 88, revise or the deletion user: the keeper is shown these work of doing by taboo, therefore, for user in the main window 84 of keeper's demonstration adds, editor and deletion toolbar button 90a, 90b and 90c are grey output.

When system manager or intermediate supervision person select the user to add toolbar button 99a, adding new user window 105 is produced by GUI70 shown in Fig. 8 E, system manager or intermediate supervision person's input are to the information of customer requirements, it is user's first name, middle name, last name, login name, e-mail address, and domain name.In addition, compose to give user's one access level, i.e. system manager, intermediate supervision person, keeper or what are not.In case system manager or keeper import appropriate information and select the Apply button, corresponding user record is inserted in the subscriber's meter 118 in the database 72 shown in Fig. 9 B.User record comprises the user ID by the identification record of user's input itself, first name, middle initial, login name, E-mail address and domain name.If the user who increases is the system manager, intermediate supervision person or keeper, record also will be added to access level table 119, otherwise record is not added to access level table 119.Access level record is included in the user ID of user record in the subscriber's meter 118, composes the access level of giving this user, i.e. system manager, and intermediate supervision person, keeper or what are not.The people who has a general technology in the relational database field will recognize the user profile of storing in user profile that user ID is used for mating storage in access level table 119 and the subscriber's meter 118.

In case a user is added to subscriber's meter 88, the user automatically becomes the coordinated groups member.Therefore, a record is added to group membership's table 120, and group membership's record comprises that sign comprises the user ID that writes down in the subscriber's meter 118 of user key information, and points to the group ID that comprises the group membership's record in coordinated groups group membership's table for information about.

At last, when the user is added to subscriber's meter 88, will be added to some " strategy " table in database 72 to that user's record.As below will describing in detail, these Policy Tables comprise User Agreement Policy Table 122, user site Policy Table 123 and user file type of policy table 124.In each table, the user adds record to each strategy of being inherited from coordinated groups by the user for this reason.Each such record comprises: (1) points to the group ID of coordinated groups in group membership's table 120; (2) sensing user's user ID in subscriber's meter 118; Whether (3) current accessed field, its sign are refusals to user's current strategies, still allow the visit certain protocol, website or file type; Whether (4) user's personal visit field, sign individual's strategy of this user allow or the denied access specific protocol, website or strategy, and being indifferent to is what to that user's current accessed; (5) current restricted field, current refusal strategy group that applies of identifying user or son group; (6) individual restricted field, sign are if sign is non-current restricted group the time in current restricted field, and group and son group user can inherit the strategy that its is provided with corporally.The record that is added among each Policy Table also comprises the specialized information table index that enters the specific policy that comprises relevant setting.For example, each each record that is added to User Agreement Policy Table 122 also comprises agreement ID.Agreement ID sign comprises the name of subject protocol, the record in the protocol tables 116 of port and another name information.Similarly,, comprise Site ID, be used for being identified at the record in the station table 126 that comprises theme website domain name information for the user adds each record among the user site Policy Table 123 to.At last, for the user adds each record in the user file type of policy table 123 to, comprise file type ID, be used for record in the identification document Class1 28, the identification user is rejected the file extension of visit.

Except User Agreement, outside website and file type Policy Table 122,123 and 124, user's rating form 125 is updated when the user is added to subscriber's meter 88.More particularly, be this user, one record is added to user's rating form 125, and this table comprises group ID, is used for coordinated groups record in the index-group membership table 120, and user ID, the current data that user record in the index of reference subscriber's meter 118, current quota field, sign impose on the user transmits quota and individual's quota field, if sign user's current quota is deleted, the user's that should apply personal data quota.

Get back to the piece 246 of Fig. 7 A, add a user to subscriber's meter 88 system manager or intermediate supervision person, and relevant record user for this reason is added to subscriber's meter 118, access level table 119, group membership's table 120, the User Agreement strategy has 122, user site Policy Table 123, and after user file type of policy table 124 and the user's rating form 125, logic is gone to piece 248, at piece 248, user's record is added in the transmission table 134 of storage in the database 72 shown in Fig. 9 D for this reason.As below describing in detail, transmission table 134 is used to constitute subscriber policy table 136.Subscriber policy table 136 is from each User Agreement, the set of each user's of website and file type Policy Table 122,123 and 124 record.Subscriber policy table 136 offers eventually and filters executive program 76 so that the filtration executive program can be optimized the rule set that these strategies become each user, goes the IP that handles through the webserver 50 to wrap professional by filter engine 78.The user record that is added on the transmission table comprises user's user ID, and indicates whether filter engine 78 user's interpolation for this reason, substitutes or delete the action mark of its respective rule.When a user was added to subscriber's meter 88, action mark correspondingly was configured to add rather than substitutes or deletion.

Although as said just now, a user can be added to subscriber's meter 88, it can also be edited the existing record of user in database 72 or fully delete the user from subscriber's meter 88.In order to revise user's core information, system manager or intermediate supervision person highlight desired user in the subscriber's meter 88, and select the user's edit tool bar button 90b in the main window 84.The new user window 105 that increases is shown again, and system manager or intermediate supervision person import fresh information.Then, user's record is revised with fresh information in subscriber's meter 118.If this user's access level changes, user's respective record will correspondingly be revised in access level table 119.Yet, change owing to user's user ID and not according to the modification of core information, need be at group membership's table 120, user's rating form 125, user file type list 124 adds in user site Policy Table 123 or the User Agreement table 122, revises or delete any this user's respective record.

If user's respective record is modified at piece 246 in subscriber's meter 118, logic is gone to piece 248.At piece 248, user's a record is added in the transmission table 134 of the user ID that comprises the user and alternative acts mark.

By the desired user and the selection deletion user instrument bar button 90C that highlight in the subscriber's meter 88, a user is deleted from subscriber's meter 88.Thereby database 72 is piece 246 deletion subscriber's meters 118 in Fig. 7 A, access level table 119, and User Agreement Policy Table 122, user site Policy Table 123.User file type of policy table 124, all these users' respective record in user's rating form 125 and the group membership's table 120.At piece 248, the user record of deletion is added in user ID that comprises the user and the transmission table 134 of the deleting action mark.

Get back to the decision block 242 of Fig. 7 A, if interpolation/editor of user/deletion option is not selected, or it is selected but can not obtain, and the user correspondingly is added, revise or deletion, logic is gone to decision block 250, here it judges whether that computer mapping option is selected from main window 84, for to supervisory computer 54 or client computer 52 distributing user, system manager or intermediate supervision person highlight desired user in subscriber's meter 88, and select computer table (Computer tab) 96 in main window 84.Accordingly, GUI70 produces the computer table window 107 shown in Fig. 8 F.Computer table window 108 is listed the current map information that highlights the user, and promptly computer is to user's distribution or map information.For computer is mapped to the user, select Add button and the interpolation computer interface 109, system manager or the intermediate supervision person that produce by GUI70 as shown in Fig. 8 G to import the IP address of distributing to user's computer name and this computer, and select the Apply button that this information is sent to database 72.

Get back to the piece 252 of Fig. 7 A, in case system manager or intermediate supervision person's distributing user to a computer, the piece 254 that is recorded in of user's computer is added in the subscriber computer table 115 in the database 72.Shown in Fig. 9 B, the subscriber computer record comprises user's user ID and identifies the Computer I D of a record in the computer table 117.Reach the IP address of the computer of input in adding computer interface 109 comprising the computer name (also claiming " host name ") of the computer of importing.To understand the people who has general technology in the relational database field, preserve the discrete table 117 of computer recording, on LAN44 because this may distribute more than a computer for each user.

As mentioned above, in case subscriber computer table 115 and computer table 117 are updated, be added to the user's mapping table 138 that is stored in the database 72 in piece 256 user records.Shown in Fig. 9 D, user's mapping table 138 comprises a record, be used in the recording user table 88 the user and link client computer 52 on the LAN44 or the each mapping between the Management Calculation 52.Each user's map record comprises user's user ID, distributes to the user's computer name, the IP address of user's computer, and user's login name, user's domain name, and add action mark.

Except distributing user one computer, can also revise or delete of distribution or the mapping of existing computer to the user.For revising existing mapping, system manager or intermediate supervision person are adding input one new computer name and/or IP address in the computer interface 109 shown in Fig. 8 G, and select the Apply button.The record of user in subscriber computer table 115 and computer table 117 correspondingly is modified in piece 254 then.At piece 256, for the user to comprising that new computer name and/or Computer IP address user mapping table 138 adds a record.In addition, action mark will be configured to substitute so that filter engine 78 for this reason the user with alternative its current map record of user's map record of revising.

If system manager or keeper are in the mapping of piece 252 deletion computers to the user, corresponding record will be deleted at piece 254 in subscriber computer table 115.Therefore, in piece 256, the user's of deleted its current mapping just record is added to user's mapping table 138 again.Yet an invalid IP address is stored in user's map record.In addition, action mark is configured to deletion, deletes mapping so that filter engine 78 is a relative users in its mapping table.

Turn back to decision block 250 among Fig. 7 A,, or selected and the mapping that distributes can not obtain if computer mapping option is not selected, logic will be gone to decision block 258, judge whether to have selected to add editor or deletion group toolbar button 92a, one of 92b or 92c here.As noted above, the keeper, reaching system manager and intermediate supervision person can add, and revises and the deletion group.And in the current implementing example of the present invention described herein, the keeper only allows to revise and delete the child group of coordinated groups, is child group of the group owner or one of ancestors of organizing of this son of institute itself to these Group administrators.Be that the keeper only allows to delete the child group that keeper oneself creates, system manager or intermediate supervision person determine that for this a little group this keeper is that the owner who organizes is owner of each son group of these groups.

Turn back to decision block 258, if interpolation group toolbar button 92a is by the system manager, intermediate supervision person or keeper (hereinafter being generically and collectively referred to as " operator ") select, and the interpolation group window 103 shown in Fig. 8 H is produced on the display 58 of supervisory computer 54 by GUI70.The operator imports the name of new sub-group, selects newly sub father's group of organizing from " drop-down " menu of existing group, and the sub group owner who organizes of sign, i.e. he oneself or other system manager, intermediate supervision person or keeper.

Utilize the example of cooperative surroundings, system manager or intermediate supervision person can produce the child group of coordinated groups for the finance department, the star of new child group is " finance (finance) ", and thereby new group will be child group, system manager or intermediate supervision person's energy identity management person of the group owner as group, if the keeper will be divided into international public finance group and domestic finance group to the finance group again, the keeper should import the name of international public finance group, and defines its child group as the finance group, or the like.More describe in detail as following, when adding one group, the father that this group is inherited him organizes whole strategies of setting and by norm.In the example as described above, the finance group is inherited whole strategies and the quota that is provided with for coordinated groups.

The system manager, after component layers 86 was added a new group, group record was added in user's group table 121 in the database 72 at piece 260 for intermediate supervision person or keeper.Shown in Fig. 9 C, user's group record comprises the group ID of identification record itself, group name, group owner field, wherein user ID and the father who stores the operator who has this group organizes id field, and the father organizes the group ID that id field is stored the record in user's group table 121 of the relation information that comprises father's group.

To the record of the group of new interpolation, also to add group protocol strategy table 129 to, group station station Policy Table 130 is in group file type Policy Table 131 and the group rating form 132.Group policy table 129,130 and 131 and the group rating form 132 be to be similar to very much User Agreement recited above, website and file type Policy Table 122,123 and 124, and user's rating form 125, more particularly, at each group policy table 129, record in 130 and 131 comprises the group id field, current accessed and personal visit field, and current restricted field and individual restricted field, in addition, the record of group protocol strategy table 129 comprises an agreement ID, be used for that the index sign allows or the protocol tables 116 of refusal agreement in record.Similarly, the record of group site policy table 130 comprises a Site ID field, be used for index-group website table 126, and group file type Policy Table 131 record comprises the file type id field, be used for index-group file type table 128, each record of group rating form 132 also comprises group ID, current quota and individual's quota.The record that is not both subscriber policy and rating form between group policy and rating form and subscriber policy and the rating form also comprises the user ID field of corresponding user record in the identifying user table 118.

When a new son group is added to component layers 86 and is added to group protocol strategy table 129 when a record of new son group, group site policy table 130, when group file type Policy Table 131 and group rating form 132, the current accessed of record is set up as the current accessed in the father's group that equals the corresponding strategy record, and deposits null value in personal visit in.In addition, current limited field is stored with the group ID of father's group in record, and stores null value in the limited field of individual.Similarly, be added in the record of group rating form 132, the current quota of the child group of new interpolation is set to equal the current quota in the corresponding quota record of father's group, and individual's quota of the child group that newly adds will be set to zero.

Turn back to the decision block 250 among Fig. 7 A, if organize edit tool bar button 92b by the system manager, intermediate supervision person or keeper select, and adding new group window 103 will be generated by GUI70 once more.The operator can be the new name of son group input, changes the owner of son group or father's group of son group.And, be the direct child of coordinated groups as the fruit group, the father of son group organizes immutable.In case the operator has revised child group, and has selected the Apply button, organize table 121 the user, in group policy table and the group rating form, the respective record of son group is modified.

For deletion group from component layers 86, the operator highlights desired son group, and selects deletion group toolbar button 92C from main window 84.Therefore, organize the respective record of the child group in the table 121 the user, the group agreement, website and file type Policy Table 129,130 and 131 and group rating form 132 all deleted.In addition, at subscriber policy table 122, the whole records in 123 and 124, user's rating form 125 and belong to the group of deletion or group membership's table 120 of each user of son group also deleted.

Turn back to Fig. 7 B, in case the user has been added to user list 88, the child group of coordinated groups has been added in the component layers 86, and system manager, intermediate supervision person and keeper can add the user and organize to existing group and son as the member.Simultaneously, logic will be gone to the judgement 264 of Fig. 7 B, judge whether user's selection group tool button 91 here.If, the interpolation user that GUI70 generates shown in Fig. 8 I arrives group window 111, the operator selects user name from user's drop-down menu 127, the child group of selecting the user to belong to from group drop-down menu 100 is understandable that it oneself is on those son groups of group owner that the keeper only may be added to the user then.In addition, here in Xu Shu the current implementing example of the present invention, a user is simultaneously only to belong to a group.

When the operator selects the Apply button.User's record is added to group membership's table 120 shown in the frame 268 of Fig. 7 B, group membership's record comprises the group ID of the child group that the user is added to and user's user ID.The respective record that comprises group ID and user ID then is added to each User Agreement respectively for the user, website and file type Policy Table 122,123 and 124 and be added to user's rating form 125.In this respect, the user inherits the whole strategies of the group that it has become its member and the quota of group.More specifically, be added to User Agreement, website and file type Policy Table 122, current accessed field in each record of 123 and 124 is configured to equal the current accessed field, with the respective protocol in the child group, website and file type strategy record and current restricted field, group ID with the child group is stored, user has wherein just become a member of son group, personal visit and individual restricted field are left and do not change, about user's rating form 125, the current quota during the group that current quota is configured to equal the son group in adding record writes down by norm, individual's quota is left and does not change.Then, at piece 270, be added to user record in group or the son group and be added to the ID that comprises the user and the transmission table 134 of alternative acts mark.

Turn back to the piece 268 among Fig. 7 B, after user's respective record had been added to suitable subscriber's meter, user record was added to user ID that comprises the user and the transmission table 134 that adds action mark.

Turn back to decision block 264, if not selection group of user option, or the user selects, it is unavailable adding a user, and logic is gone to decision block 272, judges whether to select agreement to add at this, editor or deletion option, promptly whether protocol tool bar button 98 is selected in main window 84.Before being appreciated that any strategy about an application-specific agreement can be set up, application protocol must at first be identified in database 72, as what point out above, only allows the system manager to go to add, and revises or the deletion application protocol.When selecting protocol tool bar button 98, GUI generates the maintenance application protocol window 99 shown in Fig. 8 J.For adding application protocol, the system manager selects the Add button.As answer, GUI70 generates the interpolation application protocol window 97 shown in Fig. 8 K.The system manager imports the agreement name, protocol port number, with known agreement another name, and select the Apply button that this information is passed to database 72, for example, if the information that the system manager wants the refusing user's visit to transmit with file transfer protocol (FTP), the system manager should import name, another name " FTP " and port numbers 20 and 21.

Turn back to piece 276 among Fig. 7 B, after the system manager imports solicited message, be added to protocol tables 116 in the database 72 as the record of the application protocol that newly adds, the agreement record comprises the agreement ID of identification record itself, the agreement name, agreement another name, and general according to system manager's input with the relevant port numbers of agreement.

Here in Xu Shu the current implementing example of the present invention, when an agreement was added to protocol tables 116, each group in component layers 86 and each user in subscriber's meter 88 automatically allowed to visit the information with this protocol communication.Therefore, each user and each group in the component layers 86 of being necessary in the subscriber's meter 88 of the respective record that newly adds agreement is added to group protocol strategy table 129 and User Agreement Policy Table 122.For will comprising sign, each group and the added record of each user comprise the agreement ID that writes down in the protocol tables 116 of related protocol information.In addition, the current accessed field in each record is arranged to allow.

Turn back to the piece 272 among Fig. 7 B, the system manager also can revise and delete the agreement that identifies previously.For editing existing agreement, the system manager highlights the agreement of wanting in maintenance application protocol window 99, and selects the Edit button, add the fresh information that application protocol window 97 is shown again, system manager's input is relevant with agreement, be name, port and another name, and select the edit button.Simultaneously, the respective record of agreement is modified to comprise fresh information in protocol tables 116.And, since the agreement id field keep with amendment record in identical, modification group respectively or User Agreement Policy Table 129 and 122.

If the system manager wants from protocol tables 116 deletion agreements, and therefore remove agreement down from the control of network supervisor 80, the system manager highlights desired agreement in maintenance application protocol window 99, and selects delete button.Then, respective record is deleted in protocol tables 116, and group protocol strategy table 129 and any record among the User Agreement Policy Table 122 of agreement ID that comprises deleted agreement is also deleted.

As piece 276 was needed, corresponding record was added respectively in protocol tables 116 and group and User Agreement Policy Table 129 and 122, deletion or revise after, a record is added to and adds, and revises or delete protocol-dependent each user's transmission table 134.Each record comprises user's user ID and alternative acts mark.

Turn back to decision block 272 among Fig. 2 B, if agreement interpolation/editor/deletion option is not selected, or selected but do not obtain, one application protocol is added, be modified or deleted, logic will enter decision block 278 from piece 272, judge whether that at this one of tactful option is selected.As mentioned above, system manager, intermediate supervision person and keeper are allowed to protocol strategy is set, site policy and file extent strategy on group level or user class.Yet the keeper can only be a group this a little group of the owner to the manager, and belongs to those user's Provisioning Policies of the child group that the manager has.In addition, only allow the system manager to remove to be provided with the strategy of coordinated groups.For for the group or user's selection strategy option, the operator highlight in component layers 86, to organize or subscriber's meter 88 in desired user, select desired site policy table 95 then, protocol strategy table 93 or file Policy Table 81.According to the operator what strategy being set wishes, protocol strategy table window 142 shown in Fig. 8 L, the site policy table window 144 shown in the file Policy Table window 143 shown in Fig. 8 M or Figure 80 are created on by GUI 70 on operator's the display 58 of supervisory computer 54.Then, the operator is provided with desired strategy on window displayed 142,143 or 144, shown in Fig. 7 B piece 280.

In case strategy is provided, then logic enters decision block 282, judge whether that at this strategy is widely used in the face of group in component layers 86, if, in the respective sets Policy Table, to group and its child group, be updated at piece 284, so that the strategy that group is provided with is by the child group of each group and belong to group and each user of its any one son group correctly inherits.In addition, belong to the respective record of the Any user of group and any its son group, in the appropriate users Policy Table, be updated.Remove update group and subscriber policy record by the logic that database 72 is realized, so that the child group that group policy is correctly all organized, and the whole users that belong to group inherit, and any its child group will describe in detail below.

Return decision block 282, if strategy is for group is provided with, logic is gone to piece 286, judges whether that at this strategy is used in respectively in face of the user.If logic is gone to piece 288, be updated in relative users record among the appropriate users Policy Table at this.In case record is updated, logic is gone to piece 290, and user record is added to the transmission table 134 that comprises user ID and alternative acts mark.

Turn back to piece 280 among Fig. 7 B, from main window 84 be provided with the group and User Agreement will be described in more detail at this.If system manager, intermediate supervision person or keeper are intended for group protocol strategy are set, and the system manager highlights in the component layers 86 desired group, and select the protocol strategy table 93 in the main window 84, then, shown in Fig. 8 L, generate protocol strategy table window 142 by GUI70.Protocol strategy table window 142 comprises the table of those agreements that identified by network supervisor 80, those agreements that promptly find in protocol tables 116.In order to allow one of application protocol of listing in the access protocal strategy window 142, the operator selects application corresponding to check indicia framing.For example, if the operator wishes to allow to visit the WWW information of using http communication, the operator should select WWW to check indicia framing.As below will more being described in detail, group that highlights and its direct Member Users must provide the visit with the information of http communication.In addition, oneself do not visit the application protocol of selecting if any group child group and their member also are rejected it as the individual, son group and its Member Users can also allow to visit the information with the agreement transmission of this selection.

The information that one of agreement that if the operator wants the group access refusing to be highlighted to use to list in protocol strategy window 142 transmits, the operator removes application corresponding and checks indicia framing.Use the information of application corresponding protocol transmission as the highlighted group of necessary denied access of the direct Member Users with it that below will describe in detail.In addition, also this application protocol of denied access of the Any user that highlights any son group of group and belong to this child group.

For update group and User Agreement Policy Table in a manner described, the logic that is realized by database 72 is shown among Figure 10 A and the 10B.Logic starts from the piece 320 among Figure 10 A, and goes to piece 322, and highlighted here group group protocol strategy writes down and is retrieved from group protocol strategy table 129 by the agreement that the operator selects.The people who has general technology in the relational database field will recognize by match user group table, field in protocol tables 116 and the group protocol strategy table 129, these records are retrieved easily, in decision block 324, database 72 judges whether that the operator has selected to refuse agreement, be that the operator has removed check indicia framing accordingly in protocol tables window 142, if, logic is gone to piece 326, at this, current accessed field and personal visit field are set to refusal in highlighting the group protocol strategy record of group.At piece 328, the current restricted field of group and individual restricted field are set up the group ID that highlights group.

Then, need to give the child of group by component layers 86 propagation protocols refusal strategy, so that the refusal strategy is belonged to whole users of group, the child group of all groups and the whole users that belong to the child group of group inherit, in this respect, logic enters piece 330 from piece 328, here, in the group protocol strategy record of each the son group that highlights group, the current accessed field is set to refusal.The current field that is limited in each record is with highlighted group group ID storage.

Equally, at piece 332, belong to each user of highlighting group and belong in any its User Agreement strategy record of each user of child group, the current accessed field is set to refusal.Highlighted group group ID is stored in the current restricted field in each this User Agreement strategy record equally.Be added to belong at piece 334 record and highlight group and each user's of its child group transmission table 134 arbitrarily.This record comprises user's user ID and alternative acts mark, and logic finishes at piece 336 then.

Turn back to decision block 324, if the operator has selected to allow application protocol, logic decision block 324 from Figure 10 B is gone to piece 338.At piece 338, current accessed field in highlighted group group protocol strategy record is set to allow, and null value is stored the personal visit field, in current restricted field and the individual restricted field, opposite with the logic that is realized by database 72, those users of the tactful child group that is only belonged to those users of group and organize inherit when agreement is rejected, belonging to these those users of a little group does not also have other limited individual protocol strategy, i.e. personal visit field has been set to refusal.Therefore, before the protocol strategy of user or son group is set to allow, must judge whether at first that son group or user have other restricted individual protocol strategy.

In this respect, logic is gone to piece 340 from piece 338, here, obtains corresponding to first the group protocol strategy record that son is organized that highlights group of selecting agreement from organizing collaborative Policy Table 129.At decision block 342, the current accessed field in the logic determines group protocol strategy record whether corresponding father organizes is to equal refusal.If, the protocol strategy of more restrictions that the necessary father who inherits it of son group organizes.Therefore, at piece 344, the current accessed field is set to equal the current accessed field in the group protocol strategy of father's group in the group policy of child group record, and in addition, the ID of father's group is stored in the current restricted field in the group policy record of son group.

Turn back to decision block 324, if the current accessed field of father's group is not equal to refusal, logic is gone to decision block 346, equals refusal in this personal visit field that judges whether the son group.If the current accessed field of son group turns back to the individual protocol strategy of its more restrictions, promptly the current accessed field in the group policy record of child group is set to equal its personal visit field in the piece 348.In addition, the group ID of son group is stored current restricted field.In a word, have individual strategy as the fruit group and go the agreement refusing to select, child group of individual's strategy that will turn back to its more restrictions, rather than carry out less restriction and allow strategy.Because the current accessed field of son group is determined by child group oneself that in fact the group ID that has of son group is stored in the current restricted field.

Turn back to decision block 346, if the personal visit field is not equal to refusal, logic is gone to piece 350, at this, database 72 is provided with the current accessed field of son group to allow and to store a null value to current restricted field, the current restriction that is not subjected to any particular group of expression group.

In case be provided with current accessed and current restricted field in the group policy record of child group, logic is gone to decision block 352, whether the group policy record that highlights last height group of group in this judgement is updated.If do not upgrade, logic is gone to piece 354, obtains highlighting the group protocol strategy record of next height group of group.Then, piece 342 to 354 repeats to highlight each son group of group.Therefore, only highlight this a little group of group they do not have the current accessed field and equal to refuse and do not have direct father's group that the personal visit field equals to refuse succession is highlighted the protocol strategy of the less restriction of group, promptly strategy allows the agreement of this selection.

Turn back to decision block 352, when the group protocol strategy record of last height group had upgraded, logic was gone to piece 356 up to piece 370, was updated so that belong to each user's who highlights group and its any son group relative users protocol strategy record.In particular, in piece 356, obtain belonging to first user's who highlights group and its any son group User Agreement strategy record.At decision block 358, the logic determines whether personal visit field in User Agreement strategy record equals refusal, if the user will turn back to individual's strategy of its more restrictions, to refuse this agreement.In particular, the current accessed field is set to equal the personal visit field in the User Agreement strategy record in the piece 360.The group ID that highlights group is in addition stored current restricted field, and expression user's protocol strategy is the current restricted group that highlights.

And if the not more restriction protocol strategy of user, logic is gone to piece 362 from decision block 358, and the current accessed field in this User Agreement strategy record is configured to equal allow.In addition, null value is deposited in current restricted field.

In case current accessed field and current restricted field are set up in User Agreement strategy record, logic enters piece 364, at this, user's a record is added to transmission table 134, user ID and alternative acts mark comprising the user, then, the User Agreement strategy record that database 72 judges whether to belong to last user who highlights group or its any son group in decision block 366 is updated.If be not updated, in piece 368, obtain next user's User Agreement strategy record.Therefore, to each user's repeatable block 358 of belonging to any son group that highlights group or highlight group up to 368, so that each user's current accessed and personal visit field are upgraded suitably.After having upgraded last this user's User Agreement strategy record, logic finishes at piece 370.

Turn back to Fig. 7 B, if the system manager, intermediate supervision person or keeper are respectively the user rather than for group is provided with protocol strategy, logic is gone to piece 288 through

piece

282 and 286, at this, upgrades the user record of selected agreement among the User Agreement Policy Table 122.If protocol strategy is set to this user's refusal, current accessed field and personal visit field are set to refusal in the User Agreement record, yet, if this user's protocol strategy is changed to permission, current accessed field in this user's strategy record can only be set to allow, as long as the current accessed field of group is not set to refusal under this user.In other words, if the user has inherited more restriction protocol strategy from its father group, these strategies can not be individually cover with the protocol strategy of less restriction.Therefore, if the current accessed field of group is set to refusal under the user, user's current accessed field keeps set refusal, but its personal visit field is set to equal allow.

In case corresponding user record is updated at piece 288 in User Agreement Policy Table 122, logic enters piece 290, and at this, user record is added to the transmission table 134 that also is stored in the database 72, and this record will comprise user's user ID and alternative acts mark.

Except the protocol strategy that group and user are set, the system manager, intermediate supervision person and keeper also are allowed to be provided with the file type strategy, more particularly, the file of energy prevention group and some type of user's download, as has an executable file of " .exe " suffix, or have files of " .zip " suffix, turn back to main window shown in Figure 6 84, the operator by in component layers 86, at first highlight desired group or in subscriber's meter 88 user that wants the file type strategy is set, select the file type table 91 in the main window 84 then, as response, file type table window 143 shown in Fig. 8 M is generated by GUI70, and file type table window 143 comprises the file extent famous-brand clock to respective sets or user's refusal.For the specific file type of denied access, the file extension of refusal must be added in the shown refusal file extent table of window 143.On the contrary, be to allow the specific file type of visit, deleted in must be from the window 143 shown file extent famous-brand clock of the file extension of being considered.

Thereby refuse in the file extent famous-brand clock and the file of the sort of type of denied access for file extension is added to, the interpolation button in operator's select File Policy Table window 143.Generate the interpolation file limited window 145 shown in Fig. 8 N to the display 58 of supervisory computer 54 as responding GUI70.The explanation of unaccepted file extension and file extension is wanted in operator's input.Then, the operator selects the Apply button, send the information of input to database 72.

Turn back to Fig. 7 B, when the operator according to top described mode, in piece 280, be provided with by the file type strategy of usefulness, logic is gone to decision block 282, judges whether that at this file type strategy is to be provided with for group.If logic is gone to piece 284, at the record of this corresponding group and its child group in group file type Policy Table 131 with belong to that corresponding record is updated in user's the user file type of policy table 124 of these groups.Remove to upgrade group and the user file type of policy table that shows in detail among Figure 11 A and the 11B by the logic that database 72 is realized.

Logic starts from piece 372 among Figure 11 A, and goes to decision block 374, at this, judges whether that the file type restriction person of being operated is added to highlight group.If logic is gone to piece 376, at this, it does not also exist and is added to file type table 128 if want unaccepted file extension record.This record comprises the file type ID of identification record itself, the explanation of unaccepted file extension and file extension.The record that highlights group at piece 378 is added to group file Policy Table 131.Newly adding in the record, current accessed and personal visit field are set to refusal, and the group ID that highlights group is stored in the current restricted and individual restricted field.In addition, file type ID, it is identified at the record in the file type table 128 that comprises the file extension that will refuse, also is stored in the record that newly adds, and

decision block

376 and 378 result are provided with file type refusal strategy for the group that highlights of new add file type.And, then must organize succession to the file type refusal strategy of file extension, and all belong to the user's succession that highlights group and its child group by the whole sons that highlight group.

In this respect, logic is gone to piece 380, during, each highlights in group file type strategy record of each son group of group, and the current accessed field is set to equal refusal, and the group ID that highlights group is stored in the current restricted field.And, but the energon group is not wanted the group file extent strategy record of unaccepted file type.If like this, the record of new child group is added to group file type Policy Table, and it comprises the file type ID that wants unaccepted file extent and the current accessed field is set to refuse and current restricted field is stored the group ID that the group of highlighting is arranged.

In case highlighting the group file type strategy record of each son group of group is updated or is added, with reflection file type refusal strategy, the user file type of policy that belongs to each user who highlights group and its any son group is recorded in the piece 382 and is updated, more particularly, current accessed field in each such user's the user file type of policy record is set to equal refusal, and the group ID that highlights group is stored in the current restricted field, and possible user does not also refuse the record in the user file type of policy table of file extent.If like this, as above said new record user's interpolation for this reason with same current accessed and current restricted field is comprising the file type ID of the record in the file type table 128 that is identified at the file extent that comprises refusal.

In case all user file type of policy record is updated at piece 382, logic is gone to piece 384, and at this, a record is added to and belongs in the transmission table 134 of each user in database that highlights group and its norator group.Each record that is added to the transmission table comprises user's user ID and alternative acts mark, and logic finishes at piece 386 then.

Turn back to piece 374, if the file type restriction is not in the file type extension table that is added in the file type table window 143, promptly file extent is deleted from this table of file limited window 143, and logic is gone to piece 388 among Figure 11 B.At piece 388, the group policy record that highlights group of deleted file expansion is removed from group file type Policy Table 124.Be appreciated that if this group is not included in the record among the group file type Policy Table of specific file extent, this group is not rejected the file that visit has that file extent, in other words, that group is allowed to visit the file with that file extension.

Exactly because group is allowed to visit the file with specific file extension, does not need genuine user to belong to this group or its child group all is allowed to visit the file with specific file extension.In particular, if if any one highlights the child group of group or belongs to any user who highlights group and its child group, has file extension strategy to the more restriction of specific file extension, promptly in group or user file type of policy record, the personal visit field equals refusal, corresponding document type of policy record to group or user will be not deleted, and will keep the file type refusal strategy of those users or group.

In this respect, logic enters piece 390 from piece 388, wherein, the group file type strategy record of this specific file extension, from group file type Policy Table, highlight in first son group of group and obtain, in decision block 392, database 72 judges whether former generation's denied access this document expansion of son group, promptly whether father's group has a group file type strategy recording needle to unaccepted file extent among the group file type Policy Table 131, if like this, the son group has been inherited the file type refusal strategy of more restrictions of its father's group.Therefore, if the result of decision block 392 just is, current accessed and personal visit field and current restricted and individual restricted field are left and do not change in the group file type strategy record of child group.

On the other hand, if father's group does not limit this document type, logic is gone to decision block 394, and at this, database 72 judges whether that the personal visit field is changed to sky or refusal in the sub group file type strategy record of organizing.If the current accessed field of son group is returned in the piece 398 its personal visit field.In addition, the group ID of son group is stored current restricted field.Yet if the personal visit field of son group is not changed to sky or refusal, logic enters into piece 396, at this, and the deletion from group file type Policy Table 131 of the group file type strategy record of selected file extent group.

In case the group file type strategy record of first son group of group is as discussed above processed like that, logic enters decision block 402, and it is processed that it judges whether to highlight the group file type strategy record of last height group of group at this.If do not handle, in piece 404, obtain highlighting the group file type strategy record of next height group of group.Each the son group repeatable block 392 that this is highlighted group is to piece 404.

When last height group that highlights group processed, logic enters piece 406 to 418 from decision block 402, at this, the user file type of policy record that belongs to each the user's correspondence that highlights group and its norator group is updated, in this respect, be to belong to first user who highlights group or its any son group to obtain user file type of policy record to the file extent of selecting.At decision block 408, the logic determines whether personal visit field in record equals empty or refusal.If the setting of current accessed field is set to equal the personal visit field of piece 412.In addition, the group ID that highlights group is stored in current restricted field.And if the personal visit field is not equal to sky or refusal, the user file type of policy is recorded in piece 410, and is deleted from user file type of policy table 124.

Be updated or delete in case user file type of policy record is aforesaid, logic enters piece 414, and at this, user's record is added to transmission table 134, and record comprises user's user ID and alternative acts mark.At last, database 72 is processed at the user file type of policy record that decision block 416 determines whether to belong to the end user that highlights group and its any son group.If do not handle, next user's user file type of policy record is obtained.Arrive piece 418 to belonging to each the user's repeatable block 408 that highlights group and its norator group then.Processed at last when last user's record, logic finishes at piece 420.

Turn back to Fig. 7 B, opposite with group if the operator is provided with a file type strategy, in the face of a user, logic enters piece 288 through decision block 286 respectively, and at this, user's respective record is updated in user file type of policy table 124.Be appreciated that, if for the user adds the file extent restriction, be that the access specific files type will be rejected, the current accessed field in user's file type strategy record is set to refusal and null value is stored in the current restricted field to this file extent.If the user file class record does not exist the file type of this user and this selection, with just having the record of same field to be stored in the user file type of policy table 124 in narration.If the file type restriction to the user is removed, corresponding user file type of policy record is with deleted, as long as the group that the user belongs to does not have the record of corresponding this file extension in group file type Policy Table 131.Otherwise the current accessed field in the User Agreement strategy keeps refusal, and this user's personal visit field will be configured to allow.

In case user's user file type of policy is recorded in piece 288, from user file type of policy table 124, be updated or delete, be added to the user ID that comprises the user and the transmission table 134 of alternative acts mark at piece 288 users' a record.

Turn back to Fig. 7 B, system manager, intermediate supervision person and keeper also can be provided with the site policy except that agreement and file type strategy.In this respect, the operator highlight in component layers 86 desired group or in subscriber's meter 88 desired user, and select site policy table 95.As answer, shown in Figure 80, generate site policy table window 145 by GUI 70.From site policy window 145, the operator can add for highlighting group or user, editor or deletion site policy.In the described here current implementing example of the present invention, the operator can serve as that group or user are provided with site policy in one of two kinds of modes, and two kinds of modes are: (1) allows visit all websites except that the regulation website; Or (2) denied access all websites except that the regulation website.Therefore, if the site access rule is to allow to visit all websites except that the regulation website, in site policy table window 145, show refusal website table.On the contrary, if the site access rule is denied access all websites except that the regulation website, allow the access site table will be displayed in the site policy table window 145.For adding refusal website table or allowing the website table, no matter be that the sort of situation operator selects the Add button in site policy table window 145.As answer, the interpolation site access that GUI 70 generates shown in Fig. 8 P allows window 147.Then, the site name that operator's input will be refused or allow, and the complete qualified domain name of website such as the IP address of www.jobs.com or website.

According to the Apply button of selecting, the information of being imported by the operator is sent to database 72 through GUI, with difference update group and user site Policy Table 130 and 123.In this respect, if the operator for the group rather than for the user is provided with site policy, logic decision block 282 from Fig. 7 B enters piece 284, at this, the group and the user site Policy Table in respective record upgraded by database 72.By the update group of database 72 realizations and more detailed being presented among Figure 12 of logic of user site strategy record.Logic starts from piece 422 in Figure 12, and enters decision block 424, judges whether that at this site access rule is to allow whole websites to forbid some mode.If logic is gone to piece 426, at this, the complete qualified domain name that database 72 uses name server (DNS) to search to differentiate input arrives one or more IP address.The people who has general technology in the art will understand, and dns lookup is to be realized by the long-range name server that is positioned on the internet 40.In piece 428, a record is added to website table 126, comprises the Site ID of identification record itself, the domain name of input and the site name of input, and in addition, a record is added to the Site IP address table, to differentiate complete qualified domain name to each IP address.Therefore, each record that is added to Site IP address table 127 comprises the Site ID that points to website table 126, and the IP address of being differentiated.At piece 430, highlight group one record and be added to group site policy table 130.This record comprises that indication site access rule is the website mark that allows all to forbid some mode, be identified at the Site ID that is rejected the record of website in the website table 126, current accessed and personal visit field equal refusal, and storage has current restricted field and the individual restricted field of the group ID of the group of highlighting.

In case highlighting the group site policy of group is updated, highlighting group site policy record of each son group of group and the user site strategy record that belongs to this each user of a little group must be updated, so that son group and the suitable succession of user highlight the site policy of group.Therefore, at piece 432, in the group site policy record corresponding to each the son group that highlights group, the current accessed field is set to equal refusal, and the group ID that highlights group is stored in the current restricted field.Yet, but the energon group does not also have record in group site policy table 130.If like this, have the aforesaid identical current accessed and the record of current restricted field and be added to the group site policy table that son is organized.

Similarly, at piece 434, belong in each user who highlights group and each user's who belongs to the child who highlights group arbitrarily the user site strategy record, the current accessed field is set to refusal.In addition, highlight in the current restricted field in the same user site strategy record that is stored in each such user of the group ID of group.If in the user site Policy Table, the user does not have corresponding record, is appreciated that the record with same field of pointing out above will be added among the user site Policy Table 123.At last, at piece 436, belong to highlight group and arbitrarily each user's of the child group of its group record be added to transmission table 134.This record comprises user's user ID and alternative acts mark.

Turn back to decision block 424, if the site access rule is the whole websites of refusal except that some regulation website, logic is gone to piece 437 from decision block 424.Be appreciated that the site identity of being added by the operator highlights group and allows these websites of visit so if the site access rule is whole websites of refusal except that the website of some regulation.Realize being same as the logic that realizes the denied access certain site in fact by database 72 with the logic of upgrading respective sets and user site strategy record.Therefore, piece 428 only is repeated to 436, and the current accessed field is set to allow and null value is stored in the current restricted field except newly adding at each in the record.When all corresponding group and user site strategy record were updated, logic finished at piece 438.

Except adding the site policy, allow the operator to delete existing site policy and edit existing site policy for group.If the operator selects the Edit button in the site policy window 145, the respective sets site policy record that highlights group only is updated with fresh information.If the particular station strategy is deleted, promptly the operator highlights desired site name and selection Delete button in the group website table, and organizing the site policy record accordingly will be deleted from group site policy table 130.

Return Fig. 7 B, if the operator is provided with site policy for the user rather than for organizing, logic enters piece 288 by decision block 286, and at this, corresponding record upgrades with new site policy among user's the user site Policy Table.In case in the user site Policy Table, the record of relative users is updated, logic is gone to piece 290, and at this, this user's record is added to the user ID that comprises the user and the transmission table 134 of alternative acts mark.

Turn back to decision block 278, selected if tactful option does not have, or selected but corresponding selected option is unavailable, logic enters the decision block 292 of Fig. 7 C.At decision block 292, whether the quota option is selected for logic determines.The operator by in component layers 86, highlight one group or in subscriber's meter 88 user, select the quota option.Their operator's requirements are provided with the data service quota.For data service quota is set, the operator highlights the user who requires in the group that requires in the component layers 86 or the subscriber's meter 88, and selects rating forms 79 from main window 84.As answer, GUI 70 generates the tactful window 148 of quota shown in Fig. 8 Q.The information data amount that the operator imports the group of setting or user is limited to Mbytes can be in any given interim transmission or reception.Turn back to Fig. 7 C, if the operator is one group such quota strategy is set, logic enters piece 298 by decision block 296, and at this, respective record is upgraded by database 72 in group and user's

rating form

132 and 125.

By group and user's rating form 132 and 125 logics that realize that database 72 upgrades with the quota that highlights the group redetermination respectively, this logic is done more detailed the demonstration in Figure 13 A and 13B.Logic originates in piece 440 among Figure 13 A, and enters piece 442, at this, highlights corresponding group of group and writes down by norm from group quota Policy Table 132 and obtain.At decision block 444, the logic determines the quota whether operator imports equals zero.If not zero, logic is gone to decision block 446, at this, the current quota that it judges whether the former generation be set to equal zero or the quota of not operator's input less than former generation's current quota.If all less than satisfying, logic enters piece 448 to these conditions, sends error message by GUI 70.Logic is returned piece 442, and piece 442 to 446 is repeated, and imports an acceptable quota up to the operator.Therefore, if the quota of input less than former generation's current quota, if perhaps former generation's current quota equals zero, logic is gone to piece 450.At piece 450, current group current quota and individual quota are set to the quota that equals to import, and the group ID that highlights group is stored in the current restricted field that the group that highlights group writes down by norm.For highlighting quota that group is provided with, highlight the child group of group, and belong to any user who highlights the child group of group and inherit by the user who highlights group.And, as described below, if input quota less than they current quota or when if their current quota equals zero, these users and group will only be inherited the quota of being imported.

In this respect, logic enters piece 452, this current quota is equalled zero or current quota greater than each son group that highlights group of input quota, the quota of input replaces the current quota of son group in will writing down by norm with the group of child group.In the current restricted field that the group of each son group of being stored in the group ID that highlights group in addition writes down by norm.At piece 454, belong to highlight group or arbitrarily its current quota of each user of its child group equal zero or its current quota greater than input quota, current quota replaces with input quota in user's user writes down by norm, and the group ID that highlights background is stored in the current restricted field.Then, logic finishes at piece 456.Be appreciated that record is not added in user's the transmission table 134 when the quota strategy is set for the user, because the quota strategy is not sent to filter engine 78 unlike rule.

Turn back to decision block 444, if equalled zero by the quota of operator's input, the current quota that whether highlights group can depend on the current quota of the father's group that highlights group with zero output.In this respect, logic is gone to decision block 458 Figure 13 B from decision block 444.At decision block 458, database 72 judges whether that the current quota that the father organizes equals zero.The people who has a general technology in this area is appreciated that the group of father's group during this is only by location group rating form 132 writes down and tests the value in the current quota field of that record by norm and determines.If the result of decision block 458 is for negative, promptly the current quota of father's group is greater than zero, and logic enters piece 460, and at this, the current quota that highlights group is set to equal the current quota of its father's group, highlights the current quota that group is inherited its father's group like this.And, the individual's quota that highlights group is set to zero, the group ID of father group is stored in the current restricted field that highlights group, if so that when father's group is removed the restriction of the current quota that highlights group, the current quota that highlights group returns to its individual's quota.

Yet, if the result of decision block 458 for just, logic enters piece 462, at this, the current quota and the individual's quota that highlight group are changed to zero.Be appreciated that because the current quota of father's group has been set to zero the current quota and the individual's quota that highlight group also can freely be set to zero.In addition, the group ID that highlights that highlights is stored the current restricted field of organizing the owner.

Be set up in case highlight current quota and individual's quota of group, the current quota and the individual's quota that highlight all son groups of group must be updated simultaneously.In this respect, logic enters piece 464, and at this, the group that highlights first son group of group writes down by norm from group rating form 132 and obtains.At decision block 466, the current quota of the logic determines quota strategy the record whether father organizes equals zero.If the current quota that son group is set is zero to be possible.Therefore, logic is gone to decision block 468, and at this, logic determines whether equal zero by norm by the individual of son group.If the current quota of son group is set to zero at piece 470.In addition, the group ID that highlights group is stored in the current restricted field in the group quota strategy record of child group.

On the other hand, be not equal to zero by norm as the individual of fruit group, its current quota returns to the individual's quota that formerly is provided with for the child group at piece 472.In addition, the group ID of son group is stored in the current restricted field of the sub group quota strategy record of organizing.Indicate that its restriction of son group own in its current quota.

Turn back to decision block 466, the current quota that has as the father of fruit group group is not equal to zero, and so current quota is configured to equal the current quota of its father's group in the piece 474.In addition, the group ID of father group is stored in the current restricted field that the group of son group writes down by norm.

In case highlighting the group of first son group of group writes down processed by norm, logic enters decision block 476, the group quota strategy that judges whether to highlight last height group of group at this database 72 is updated, if do not upgrade, the group that highlights next height group of group is recorded in piece 478 by norm and obtains.Then, repeat for each the son group that highlights group from piece 466 to 478.When the group of last height group quota strategy record was updated, logic entered piece 480 to 494, upgraded so that belong to the null quota that each user's who highlights group and its any son group user writes down by norm according to new input.

In this respect, the user who belongs to first user who highlights group or its any son group writes down by norm from user's rating form 125 of database 72 and obtains.At decision block 482, the current quota of the logic determines the group whether user belongs to equals zero.If logic is gone to decision block 484, equal zero at this individual's quota that judges whether the user.If the result of decision block 484 is for just, the current quota in user's the user quota strategy record is set to zero, and null value is stored in the current restricted field at piece 486.And if individual's quota of user also is not changed to zero, logic enters piece 488 from decision block 484.At this, user's current quota returns to its individual's quota, and null value is stored in the current restricted field.

Turn back to decision block 482, if the current quota of group is not equal to zero under the user, logic is gone to piece 490 from decision block 482, be set to equal the current quota of the group that the user belongs at this user's current quota, and the group ID of the group that belongs to of user is stored in user's the current restricted field.

In case belonging to first user's the user who highlights group and its norator group writes down as described above by norm and is updated, logic enters piece 492, at this, it judges whether to belong to last user's the user who highlights group or its norator group and writes down by norm and be updated, if do not upgrade, belong to its next user's the user of norator group who highlights group and be recorded in piece 494 by norm and obtain.Then, repeatable block 482 to 494 belongs to user's quota record of each user who highlights group and its child group with renewal.Processed as last user, the result of decision block 492 is for just, and logic finishes at piece 496.

Turn back to Fig. 7 C, if the system manager, intermediate supervision person or keeper have been respectively the user rather than for group is provided with the quota strategy, logic enters piece 302 through decision block 300, and at this, in user's rating form 125, user's respective record is updated.Be appreciated that as long as the current quota of the group that the quota of input belongs to less than the user, or as long as the current quota of the group that the user belongs to equals zero, current quota is set to equal the quota of operator's input.And, if the quota of input from as zero, the current quota of the group that user's current quota only belongs to the user will be set to zero when being set to zero.In this case, will be set to zero regardless of the current quota or the individual's quota that are the user.

Turn back to decision block 292, if the quota option does not have selected, or it is selected, and import desired quota and be used for not obtaining in the face of desired group and user by the operator, logic will be gone to decision block 304, judge whether that the operator has withdrawed from main window 84 or will select one to send the user policy option from main window 84 in the File drop-down menu at this.If not, logic turns back to the piece 222 among Fig. 7 A, and repeatable block 222 to 304 is so that the operator can select more multiselect spare.And, if the result of decision block 304 for just, logic is gone to piece 306, at this, sets up subscriber policy table 136 by database 72.Be appreciated that from following discussion the subscriber policy table of being set up by database 72 is to be each user-defined all variety of protocol strategy, the set of site policy and file type strategy subscriber's meter 88.In case constitute, the subscriber policy table is read by the filtration executive program 76 of access to netwoks program 80.Filter the subscriber policy that executive program optimization is found out in table,, be used for filter engine 78 for each user creates rule set, professional to filter by the IP bag of access server 50.Utilize subscriber policy table 136, determine that by the user policy that filters executive program 76 establishments those IP bags are allowed to be logged by filter engine 78 and those IP bag.

For creating subscriber policy table 136, by detailed being shown among Figure 14 of logic of database 72 realizations.Logic begins at piece 500, and enters into piece 502, at this, obtains first record from transmission table 134, in piece 504, utilizes the user ID that transmits in the table record as index, to all having the writing scan User Agreement Policy Table 122 of this user ID.Write down the subscriber policy table 136 that is added to each different user protocol strategy record identification at piece 506.Each record that is added to the subscriber policy table comprises user ID, identifies the rule type sign indicating number of current rule type according to protocol rule, the port numbers of agreement, and the access flag of agreement, i.e. permission or the refusal that obtains from protocol tables 116.In addition, be added to record in the subscriber policy table and comprise as at the corresponding action sign that is provided with in the table record that transmits, promptly or be to add, substitute or deletion.Therefore, receive when filtering regular that executive program 76 prepares from subscriber policy table 136 is final when filtering engine 78, filter engine is deleted corresponding User Agreement rule with interpolation User Agreement rule, or substitutes existing User Agreement rule with more current User Agreement rule.Except above-mentioned field and sign, registration mark and notification flag are included in the record that is added to subscriber policy table 136.In the identical value of notification flag, register mark will be arranged to the identical value of login one break-make sign (Log-Oll-off) with setting in the collaborative default table 110 in notification indicia will be configured to collaborative default table 110.

At piece 508, user file type of policy table 124 also is scanned.Use user ID, to the file type strategy record of the whole users in the user file type of policy table 124.At piece 510, at each file extension to this user's refusal, a record is added to this user's Policy Table.Record comprises user ID, and the present rule of a sign is the rule type sign indicating number of file type rule, and unaccepted file expands, and access flag.These need be changed to refusal.In addition, record comprises action mark, registration mark and the notification indicia from corresponding transmission table record.

At piece 512, as index,, scan user site Policy Table 123 at whole users' site policy record with the user ID in the transmission table record.At piece 514, the user is had each website that subscriber policy writes down, a record is added to subscriber policy table 136.Each record comprises user ID, identifies the rule type sign indicating number of this rule as the website rule, and the IP address, website mark and the access flag that obtains from website table 126 and Site IP address table 127.In addition, record comprises registration mark and the notification indicia that finds in the table record by transmitting, and action mark.

In case User Agreement, website and file type Policy Table 122,123 and 124 have been scanned, and corresponding record is added to the user's who is identified from quilt in first record of transmission table 134 subscriber policy table 136, logic enters decision block 516, and it judges whether that last record in the transmission table obtains at this.If do not obtain, in piece 518, obtain the next record of transmission table 134, and to transmitting next record repeatable block 504 to 516 in the table.Correspondingly, to transmitting each the record repeatable block 504 to 518 in the table.When the ending of transmission table reaches, each protocol strategy, the record of file type strategy and site policy is added to each this user's subscriber policy table 136, since this user is established from last subscriber policy table 136, interpolation or deletion has been arranged or had strategy change to take place.

Turn back to Fig. 7 C, in case the aforesaid quilt of subscriber policy table 136 all makes up, logic enters piece 308, transmits mark at this subscriber policy table and is set up.Be appreciated that subscriber policy transmits mark one and is set up, filter executive program 76 and attend school subscriber policy table 136, and as below will describing in detail, the beginning optimisation strategy changes into rule.After the subscriber policy table sent sign and is set up, the user was shone upon to transmit and is marked at piece 310 and is set up.Be set up in case be appreciated that this sign, filter executive program 76 and will read user's mapping table 138 simultaneously.Logic finishes at piece 312 then.The optimization of user policy and definition

As noted above, in case database 72 has made up subscriber policy table 136, filter executive program 76 and read subscriber policy table 136, and optimization subscriber policy, change into each user's rule set, then it is sent to filter engine 78, is shown in Figure 15 A more in detail, 15B and 15C by the logic to make up rule of filtering executive program 76 realizations.Logic starts from piece 522 among Figure 15 A, and enters piece 524, and at this, it judges whether that name Service manager 74 is in operation.If not in operation, filter executive program 76 and can not realize its responsibility, so logic withdraws from piece 526.If name Service manager 74 is moving, logic enters decision block 528, and at this, it judges whether to filter another copy of executive program 76 in operation.If the current copy that filters executive program is unwanted, logic withdraws from piece 530.Otherwise logic enters piece 532.Filter executive program at piece 532 and begin inceptive filtering engine 78.

Logic by the initialization filter engine 78 that filters executive program 76 realizations is described clearlyer in Figure 16.Logic starts from piece 590, and enters piece 592, and it judges whether that filter engine 78 is in operation at this.If logic finishes at piece 594.Otherwise logic is gone to piece 594, at this, filter executive program 76 and read collaborative default table 110, and definition collaborative rule set 150 as shown in figure 17.In particular, filter executive program 76 definition Pass through rules and equal Pass through mark, the Log-no-block rule equals the Log-no-block mark, the Log-on-off rule equals the notify flag mark that Log-on-off mark and notify-on-off rule equal collaborative default table 110, and these rules are deposited in collaborative rule set 150.In addition, filter executive program 76 definition one default ruleset,, be used to filter the IP bag by filter engine 78 if bag can not mate the rule of any other definition.More particularly, filter executive program 76 definition and add the default refusal rule of collaborative rule set 150-, default registration rule and default not notification rule to.The people who has general technology in the art will understand, and default can be set to any value, i.e. permission/refusal, registration/non-registration, notice/do not notify deemed appropriate.In case collaborative rule set 150 is defined at piece 594, collaborative rule is ready to be marked at piece 596 and is set up, and notification database 72 collaborative rules are processed.

In piece 598, filter executive program 76 and read global network protocol tables 112, and definition immigration global network protocol rule collection 152 and departure global network rule set 154 as shown in figure 17.The record that immigration global network protocol rule collection 152 comprises corresponding to each record of the global network protocol tables 112 of storing as database 72 is except each record of concentrating at immigration global network protocol rule comprises that the in/out label sets equals " in ".Each record keeps the protocol number field, (and port number field is known as the destination slogan to port number field, because this is an immigration rule set), the access/deny rule equals the value of access mark in the respective record, the Log/noLog rule equals the value of Log mark in the respective record, notify/no notify rule equals notify mark in the respective record, and the indication rule is the rule type sign indicating number of protocol type rule.

Departure global network protocol rule collection 154 in kind is defined, and except in/out mark in each record is set to " out ", and port numbers is called as source port number.

In case immigration and departure global network protocol rule collection 152 and 154 are defined at piece 598, logic enters piece 600, filters executive program 76 at this, reads subscriber policy table 136 from database 72, and definition is sent to the user policy collection 156 of filter engine 78.User policy collection 156 by filter engine 78 definition is shown in Figure 17.Logic by the definition user policy collection 156 that filters executive program 76 realizations is shown in Figure 18 in more detail.Logic starts from piece 608, and enters piece 610, is designated first user of definition rule at this.Be appreciated that first user can be identified as the user ID corresponding to first record in the subscriber policy table 136.At decision block 612, whether logic determines to the user of sign, has any record, wherein rule type representation file type rule in the subscriber policy table.If logic enters piece 614, at this, defined file expansion refusal rule 157 in user policy collection 156.File extent refusal rule 157 is records in the user policy collection 156, comprise user ID, the rule type sign indicating number, the allow/deny rule is provided with and equals refusal, Log/no Log rule is provided with the value that equals Log-on-off rule in the collaborative rule set 150, and notify/no notify rule is provided with the notify-on-off rule that equals in the collaborative rule set 150.In addition, the file type refusal rule that is added in the user policy collection 156 comprises the file extent field, wherein lists all files expansion to this user's refusal.

Turn back to Figure 18, if in the subscriber policy table, do not find record with file type rule type sign indicating number, if or find such record, but file extension refusal rule 157 is defined, logic is gone to decision block 616, it is judged having the user of protocol rule type codes at this, and whether any record is arranged in subscriber policy table 136.If record is arranged, logic enters piece 618, and at this, agreement refusal rule 158 is defined, and is used for this user is refused each agreement, and is added to user policy collection 156.Correspondingly, to having the user of protocol rule type codes, be each record in subscriber policy table 136, corresponding protocol refusal rule 158 is added to the user policy collection 156 of following file type refusal rule.Each such rule comprises user ID, the protocol rule type codes, the agreement ID that in relative users strategy record, finds out, the port numbers of in relative users strategy record, finding out, Log/no Log rule equals Log mark in the relative users strategy record, and notify/no notify rule equals notify mark in the relative users strategy record.In addition, the allow/deny rule of agreement need be set to refusal.As following discussed in detail, after any agreement allows rule can only be arranged on the website rule to be configured to.

If subscriber policy table 136 does not comprise any record with protocol rule type codes, if perhaps the subscriber policy table comprises this record, and be provided with agreement refusal rule 158 to having each agreement that access flag equals to refuse, logic enters decision block 620, and it judges whether in the subscriber policy table 136 with website rule type sign indicating number any record is arranged at this.If have, logic enters piece 622, defines this user's website rule 159.

For the logic of user definition website rule 159 is shown among Figure 19 in more detail.Logic starts from piece 636, and enter decision block 638, at this, the website mark has been set to allow all modes of some exception in first record that it judges whether to find in the subscriber policy table 136, be appreciated that, be set to allow all some exceptions in first this record if website is marked at, the website mark can each other recording setting in the subscriber policy table with website rule type sign indicating number be to allow all some exceptions also then.If the result of decision block 638 is for just, logic is gone to piece 640, filters the subscriber policy table 136 of executive programs 76 scannings to all websites of user's refusal at piece 640.More particularly, filter executive program 76 scanning subscriber policy tables 136, remove to obtain having each record of website rule type sign indicating number user, so that obtain being rejected the IP address of website.At piece 642, filter executive program 76 then, to the institute protocols having scanning subscriber policy table 136 that is allowed to visit, in particular, filter executive program scanning and have the subscriber policy table 136 that protocol rule type codes and access flag are set to whole records of equaling to allow.At piece 644, the refusal website combines with allowing agreement, go to define website/agreement refusal rule, in particular, each the refusal site record that finds in piece 640 allows the agreement record to combine with each of the user who finds in the piece 642, create a rule of combination, denied access one particular station not only, and prevent with other method it is that any agreement that allows visits this class website.Effect is to block the whole visits of the known agreement of process user to this website.If for example the POP3 email protocol allows to use other method to the user, the user will still can not use the POP3 agreement, and any Email is sent to this refusal website.

Return Figure 17 now, allow each the refusal site record that finds in the piece 640 agreement to combine with each that finds in the piece 642, to each website/permission combination of protocols combinations of definitions website/agreement refusal rule.Correspondingly, website of these combination one refusals to each/agreement refusal rule is added to user policy collection 156, it comprises user ID, website rule type sign indicating number, allow the agreement ID of agreement, allow the port numbers of agreement, IP address (being called purpose IP address) the allow/deny rule of refusing website is set to refusal, and the setting of Log/no Log rule equals to write down mark in the corresponding user site rule type record and notify/no notify rule equals notification indicia in the respective site rule type record.

At piece 646, be that each permission protocol definition website/agreement of unaccepted all other websites allows rule then.Therefore, for each that finds in piece 642 allows agreement, one website combination protocol allows rule to be added to user policy collection 156, and it comprises user ID, website rule type sign indicating number, sign allows the agreement ID of agreement, allow the port numbers of agreement, asterisk wildcard or " haveing nothing to do " IP address, and permission/refusal rule is set to allow, Log/no Log rule equals to allow accordingly the login mark in the agreement record, and notify/no notify rule equals to allow accordingly the notification indicia in the agreement record.In case website/agreement allows rule to allow agreement and all not to identify for all and permission site definitions after this, logic finishes at piece 656.

Turn back to piece 638, if the website mark is not to be arranged to allow whole receptions, but be arranged to refuse whole website exceptions, logic enters piece 648 from decision block 638.At piece 648, filter the subscriber policy table 136 that executive program 76 scannings allow all websites of user capture, more particularly, at the whole writing scan subscriber policy tables 136 of the user with website rule type sign indicating number.At piece 650, filter executive program scanning subscriber policy table 136 at all accord that allows user capture.More particularly, at whole records with user that protocol rule type codes and access flag be set to allow, scanning subscriber policy table 136.At piece 652, the record combination that the record that piece 648 finds finds with piece 650 allows rule for each allows the website/agreement of website/permission combination of protocols combinations of definitions.As shown in figure 17, each website that is defined/agreement allows rule to comprise user ID, website rule type sign indicating number, agreement ID, allow the port numbers of agreement, allow the IP address of website, permission/refusal rule is set to allow, Log/no Log rule equals the login mark in the respective site rule type record, and notify/no notify rule equals the notification indicia in the relative users strategy record.Each allows website is that website/agreement allows rule to be defined to allow the website with the protocol access appointment of any permission with each result who allows agreement to combine.

In case website/agreement allows rule to be defined, logic is gone to piece 654, and at this, the website of combination/agreement refusal rule is at any website setting that clearly is not defined as permission.In other words, the user is allowed the known agreement of visiting, any not clear and definite website of definition of denied access.Therefore, at piece 654, website/agreement refusal rule is added to user policy collection 156 at each permission agreement that piece 650 finds for the user.The agreement of standing refusal rule comprises user ID, website rule type sign indicating number, agreement ID, allow the port numbers of agreement, asterisk wildcard or " haveing nothing to do " IP address, permission/refusal rule are set to refusal, and Log/no Log rule equals the login mark in the corresponding subscriber policy record that allows agreement.And notify/no notify rule equals the notification indicia in the corresponding subscriber policy record that allows agreement.In case each permission agreement that website/agreement refusal rule finds for piece 650 has been set up, logic is gone to piece 656 from piece 654 and is finished.

Turn back to Figure 18, in case website rule 159 has been defined, logic is skipped piece 624 from piece 622, directly arrives piece 626.And if be recorded in the subscriber policy table 136 foundly at decision block 620 no website rule type sign indicating numbers, logic is gone to piece 624, can be each protocol definition that allows user capture so that agreement allows rule 155.Be appreciated that owing to no site record in subscriber policy table 136 is found, agreement allows rule 155 as discussing just now, goes to limit it without particular station.As shown in figure 17, each agreement allows rule 155 to comprise user ID in user policy collection 156, the protocol rule type codes, agreement ID, port numbers, permission/refusal rule is set to allow, and Log/no Log rule equals the notification indicia in the subscriber policy record that login mark in the subscriber policy record of corresponding agreement and notify/no notify rule equal corresponding agreement.Be appreciated that any record was once anticipated in the subscriber policy table 136 of the user with protocol rule type codes and denied access mark, and be added to the user policy collection in advance in their corresponding protocol refusal rule 158 of piece 618.

In case suitable website rule and protocol rule are defined, logic enters piece 626 to 630, so that unknown protocol is provided with default 153.Be that agreement is never used top described any method, by 80 definition of access to netwoks program.In this respect, logic is gone to decision block 626, at this, judges whether that the Log-no-block rule is configured to " on " in collaborative rule list 150.If not, the agreement of any the unknown of collaborative rule all user captures of refusal.Correspondingly, in piece 628, in the subscriber policy table, having each user definition refusal unknown protocol rule of record.As shown in figure 17, each refusal unknown protocol rule comprises user ID, the protocol rule type codes, be set to the agreement ID of null value, asterisk wildcard or " haveing nothing to do " IP address, asterisk wildcard or " haveing nothing to do " port numbers, permission/refusal rule are set to refusal, the Log/no-Log rule equals Log-on-off rule in the collaborative rule list 150, and notify/no notify rule equals notify-on-off rule in the collaborative rule list 150.

On the other hand, if the Log-no-block rule is set to equal in collaborative rule list 150, logic enters piece 630 from decision block 624, at this, each user definition that has record in subscriber policy table 136 is allowed the unknown protocol rule.Each allows the unknown protocol rule to comprise as the regular field of refusal unknown protocol, except permission/refusal rule is set to equal allow rather than refusal.

In case unknown protocol rule 153 is defined as described above, logic enters decision block 632, it is processed that it judges whether to have last user of any record in subscriber policy table 136 at this, if do not handle, logic enters piece 633, at this, the next user who has record in subscriber policy table 136 is identified.Then, in subscriber policy table 136, having each user's repeatable block 612 to 632 of record.Processed when end user, and the result of decision block 630 is timing, and so complete user policy collection 156 is filtered executive program 76 definition.Correspondingly, the logic of Figure 18 finishes at piece 634, and restarts at piece 602 about the logic of the initialized Figure 16 of filter engine.At piece 602, user policy is ready to mark and is set up, and is processed with the notification database user policy.At piece 604, filter executive program 76 starting filter engines 78.Then,, filter executive program 76 collaborative rule 150 at piece 605, immigration and departure global

network protocol rule

152 and 154 and user policy 156 send to filter engine 78.Then, the logic of initialization filter engine finishes at piece 606.

Turn back to Figure 15 A, in case filter engine 78 is filtered executive program 76 initialization, logic enters piece 534 from piece 532.At piece 534, serve as name Service manager 74 agencies' filtration executive program 76 register requirement is delivered to name Service management 74.As below will more being described in detail, on name Service manager 74, to register as the name Service agency in case filter executive program 76, filtration executive program 76 just can be delivered to name Service manager 74 to static subscriber's mapping table 138 and be for further processing.As what below will describe in detail, filtration executive program 76 will be registered the static father as map information on name Service manager 74.At piece 536, serve as the filtration executive program 76 that name Service is used rather than name Service is acted on behalf of register requirement is delivered to name Service manager 74.Be registered on the name Service manager 74 as application in case filter executive program 76, filter executive program 76 and receive the map information that upgrades from name Service manager 74.Therefore, when filtering engine 78 and utilize user policy 156 to filter the IP bag, filter executive program 76 and can offer filter engine 78 to of the mapping of current computer to user and computer to the IP address.

After piece 534 and 536 was delivered to the name Service manager to the application register requirement, 76 unlatchings (kick off) of filtration executive program-by the registration thread that filter engine 78 is realized, the IP that passes through it with registration wrapped business respectively.The logic of going to register IP bag business that is realized by filter engine is shown among Figure 23 in more detail.Yet the detailed description of Figure 23 must be postponed till after filter engine 78 proved absolutely, so that being in OK range by a discussion of filtering the registration thread that executive program 76 carries out.

At piece 538, after opening this registration thread, filter executive program 76 also to open-this is realized that by filtration executive program 76 the notice thread is reminded the user when the request of user capture website has been rejected.Take the logic of some action to be shown among Figure 26 in more detail by the user that notifies who filters the executive program realization by it, yet the discussion of Figure 26 will be postponed, illustrated fully, so that the discussion of notice thread is in the OK range up to filtering executive program.

After filtration executive program 76 unlatching notice threads went to notify its user action, logic entered piece 542, wherein filters executive program 76 and is taking to wait for predetermined time interval before any further action.Here in Xu Shu the exemplary embodiments of the present invention, by the predetermined time interval that filters executive program 76 realizations is 15 seconds, after 15 seconds the time interval expires, filter executive program 76 and check the collaborative default table 110 of database 72, global network protocol tables 112, subscriber policy table 136, any variation of user's mapping table 138 and time scheduling table 114.If any change takes place for any one in these tables, corresponding rule can be used filter engine 78 by filtering executive program 76 definition, making then.

In this respect, in case preset time expires at interval, logic enters piece 544, at this, filters executive program 76 and reads collaborative default table 110 from database 72.At decision block 546, logic determines, since filtering executive program 76 and reading collaborative default table at last, whether any collaborative defaultly change.Filter in particular that executive program is sought in the collaborative rule set 150 current rule and any difference between the firm sense information from the collaborative default table 110 of database 72.If there is any variation, logic is gone to piece 548, at this, filters the collaborative rule of executive program 76 definition.As discussed above about initialization filter engine 78, by the Log-no-block rule is set, Log-on-off rule and notify-on-off rule equal that their analog value defines collaborative rule set 150 in the collaborative default table 110.Once definition, collaborative rule is ready to be marked at piece 550 and is set up, and at piece 551, collaborative rule 150 is sent to filter engine 78.

If collaborative default also do not have renewal or them to be updated, and defined corresponding collaborative rule, logic enters decision block 552, judges whether that at this global network rule list transmission mark is by database 72 settings.If logic is gone to piece 554, and is aforesaid at this, filters executive program 76 and read global network protocol tables 112 and definition immigration global network rule set 152 and departure global network rule set 154.After finishing, the global network rule is ready to be marked in the piece 556 and is set up, and immigration and departure

global network rule

152 and 154 are sent to filter engine 78 in piece 557.

If the global network rule list transmits mark and is not set up, if or be set up, and defined corresponding immigration and departure

global network rule

152 and 154, logic enters piece 558, at this, it judges whether that the subscriber policy table transmits mark and is provided with by database 72.If logic enters piece 560, filter executive program 76 at this and read subscriber policy table 136, and definition user policy collection 156.Being appreciated that user policy collection 156 is aforesaid is defined and is shown in Figure 18 and 19.In case user policy collection 156 is defined, logic enters piece 562, and user policy is ready to mark and is set up, and then, is sent to filter engine 78 at piece 563 user policy collection 156.

If subscriber policy transmits mark and is not set up, if perhaps it has been provided with and has defined user policy, logic enters decision block 564, at this, judges whether that user's map tag is provided with by database 72.If serve as name Service agency's filtration executive program 76 and static subscriber's mapping table 138 delivered to name Service manager 74 at piece 566.As what below will describe in detail, the map information in the name Service manager 74 usefulness user mapping tables 138 is updated in the map information of being safeguarded by it in the main mapping table 178.Then, name Service manager 74 turns back to the map information that upgrades and filters executive program 76.As shown in figure 17 by user's mapping ruler table 140 of filter engine 78 storage when linking the computer user's login on the LAN44 and withdraw from, and upgrade when the renewal map information of linking LAN44 and upward then providing during the IP address change of computer with name Service manager 76.

If user's map tag is not set up, if or be set up, and static subscriber's mapping table 138 has been delivered to name Service manager 74, logic enters decision block 568, judge whether that at this time scheduling transmits mark and is provided with by database 72, if filtering executive program 76 may need to prepare a timing rule set, will be used for passing through some agreement of filter engine 78 denied access during the cycle at the appointed time.As what below will describe in detail, clocking discipline comes down to be added in scheduling time immigration and the departure global network protocol rule on immigration and departure global network protocol tables 152 and 154.

In the current implementing example of the present invention described herein, filter executive program 76 and only periodically define clocking discipline, preferably per hour once.Therefore, be provided with by data 72 if time scheduling transmits mark, whether logic is judged the clocking discipline from last definition in piece 570, be one hour.If not, there is not new clocking discipline to be defined and logic is returned.On the other hand, if had one hour from the clocking discipline of last definition, logic enters piece 572, and at this, filtration executive program 76 is from database 72 time for reading dispatch lists 114 and define a timing rule set, delivers to filter engine 78 then.

Logic by the definition clocking discipline that filters executive program 76 realizations is shown in Figure 20 in more detail.Logic starts from piece 658 in Figure 20, and enters piece 659, filters executive program 76 at this and reads global network protocol tables 112, and define immigration global network protocol rule collection 152 and departure global network protocol rule collection 154 as mentioned above.Then at piece 660, the filtration executive program is organized the record in the time scheduling 114, forms some groups according to agreement ID, and according to forming one a little group Start Date.At piece 662, first record in the time scheduling table 114 that obtains recombinating.At decision block 664, the current time is the time started found in first record and any time between the concluding time to logic determines.If filter executive program 76 and be respective protocol definition immigration and departure global network protocol rule, and this immigration and departure rule are added to immigration and departure global network rule set 152 and 154 respectively at piece 666.Logic enters decision block 668 then, and at this, it judges whether that the last record in the time scheduling table 114 is processed.

Turn back to decision block 664, if the current time not in first record of time scheduling table 114 between the time started and concluding time found, logic jumps to piece 666, and directly arrives decision block 668.If the result of decision block 668 is negative, obtains next record in the time scheduling table 114, and this next record repeatable block 664 is arrived piece 668.Then, to each record repeatable block 664 to 668 in the time scheduling table, global network protocol rule and departure global network protocol rule are added to global network

protocol rule collection

152 and 154 respectively so that " clocking discipline " promptly enters a country.In each time scheduling record, between time started and concluding time that the current time is deposited in record, then, logic finishes at piece 674.

Turn back to Figure 15 B, in case clocking discipline is defined, logic enters piece 574, and at this, clocking discipline is ready to mark and is set up.Then, filter executive program 76 and filter engine 78 is delivered in immigration that comprises " clocking discipline " and departure global network protocol rule 152 and 154 at piece 575.Logic enters piece 576 then, and at this, clearing all is ready to mark, then decision block 578 in Figure 15 C, and the logic determines whether IP record load table 160 shown in Figure 25 A has outputed to database 72.About Figure 24, with discussed in detail, when filtering engine 78 record IP bags, IP record load table 160 is created and periodically outputs to database 72 from filter engine 78 as below.IP record load table 160 comprises the IP address of each IP that is registered bag.Therefore, when filtration executive program 76 judges that IP record load tables 160 have outputed to database 72, filter executive programs 76 at piece 580 and open the IP analysis subroutines.Correspondingly, each domain name that 72 pairs of databases are stored in the IP record load table 160 begins the DNS inquiry, determining the IP address corresponding to this domain name, and this domain name is deposited in IP record load table 160.Therefore, if output to database 72 at last from IP record load table, when the IP address has any variation again, the renewal of the new IP of IP record sheet 160 usefulness address.

If IP record load table 160 does not output to database 72, or after filtering executive program 76 and opening the IP address resolution of the computer logined or host name, logic enters decision block 582, at this, judges whether that a predefined DNS confirms regularly to expire.If logic enters piece 584, confirm at this DNS that filters executive program 76 open record IP addresses.And, as below will more being described in detail, if record has allowed the record of all bags by filter engine 78 to be retained.Therefore, 72 pairs of databases are stored in that each IP address begins the DNS inquiry in the IP record load table 160, change with the corresponding domain name that judges whether the IP address.In the current implementing example of the present invention of this narration, DNS confirms execution in per 24 hours once.Therefore, if the Web website has changed its IP address in nearest 24 hours, its current IP address is found and inquired about in website table 126 and Site IP address table 127.

After piece 584 is opened the DNS affirmation, filter executive program 76 and in piece 586, open the quota calculation subprogram, surpass in the face of the quota that any group or user use determining whether, the logic of these quota calculation of execution that realized by database 72 is shown in Figure 27 in more detail.And going through of Figure 27 done more comprehensively narration up to filter engine and its registration performance at this with postponing.

If DNS confirms regularly also not expire, if perhaps it expires, and to filter executive program 76 and opened DNS affirmation and quota calculation, logic turns back to piece 542 among Figure 15 B.At this, filtered executive program 76 before any other of checking database 72 changes, wait for that another preset time is at interval.Therefore, in the exemplary embodiments of the present invention of this narration, piece 542 is to piece 586 repetitions in per 15 seconds.In other words, new collaborative rule 150, global

network protocol rule

152 and 154 and user policy 156 is updated and user's mapping table 138 was sent to name Service manager 74 in per 15 seconds.Be appreciated that when collaborative rule global network protocol rule, user policy and clocking discipline are updated and their corresponding mark when being set up, filter engine 78 notified rules have been ready to be read by filter engine 78.Filter the IP bag

Be appreciated that filter engine 78 obtains notifying new user policy collection 156 when filtering executive program 76 and various rules are set are ready to mark, immigration global network rule set 152 and departure global network rule set 154 are ready.Filter engine 78 will be according to each regular action mark.Read rule set or add rule, to the rule set alternative rule of filter engine or from filter engine rule set deletion rule entirely to the rule set of filter engine.Be appreciated that the filter engine rule set gets same form with the rule set shown in Figure 17.Bring in constant renewal in rule yet filter engine 78 uses, filter any IP bag by the webserver 50.The logic that filter engine 78 is realized is illustrated in greater detail among Figure 21.

The logic of Figure 21 starts from piece 680, enters decision block 682 then, judges whether that at this filter engine tackled IP bag.Be appreciated that, the webserver 50 and this filter engine 78 should receive the last departure of LAN44 IP bag and deliver on the internet 40, immigration IP bag is delivered to LAN44 on the receiving internet again: if the IP bag is not subjected to the interception of filter engine 78, logic just repeats decision block 682, is tackled up to the IP bag.

In case tackled, IP bag is at its source IP address, promptly sends the Computer IP address of this bag and its purpose IP address and promptly wraps the Computer IP address that sends to is checked.In addition, the IP bag is examined at port numbers, so that confirm to be used to send the application protocol of IP bag.At piece 686, the IP bag that is blocked is then filtered by filter engine 78, should allow by filter engine 78 and/or by filter engine 78 registrations to judge whether bag.In addition, the IP bag is filtered, and should obtain the notice of this action to judge whether the user.

The logic that is realized going filtering the IP bag of interception by filter engine 78 is illustrated in greater detail in Figure 22.Logic starts from piece 710, then enters decision block 712, judges whether that at this IP bag of being tackled is that departure IP wraps, and promptly the IP bag is delivered to internet 40 from LAN44.If not, the IP bag must be an IP immigration bag.Therefore logic enters decision block 714, and whether filter engine 78 has any immigration global network protocol rule 152 in this logic determines.If no, only return the result of default filtering rule in piece 716 logics, promptly the immigration bag will be registered, but refusal leads to the target that requires on LAN44, and do not notify the user yet, then, logic finishes 718.

Yet, if filter engine 78 truly has immigration global network protocol rule collection 152, logic is gone to decision block 720 from decision block 714, at decision block 720, logic is determined one of IP bag coupling immigration global network rule, more particularly, the port numbers that finds in immigration IP bag compares with the destination slogan of each in the immigration global network protocol rule 152, if find the port numbers of IP bag and any one destination slogan coupling of the overall protocol rule 152 of immigration, the result of decision block 720 just is, logic enters piece 721, and wherein the result of Pi Pei immigration global network protocol rule is returned.More particularly, immigration global network agreement Log/no Log rule, the value of allow/deny rule and notify/no notify rule is returned.Logic finishes at piece 722 then.Be appreciated that the current implementing example of the present invention of this narration that from top discussion from any immigration IP bag of internet, only in the face of immigration global network protocol rule 152 filters, they do not face the rule-based filtering of any reservation.On the other hand, the immigration global network protocol rule if IP bag does not match is returned in the result of piece 716 defaults.

Turn back to decision block 712, if the IP that is blocked bag is a departure IP bag, logic enters decision block 724, judges whether that at this filter engine 78 has any departure global network protocol rule 154.If have, logic is at the decision block 726 any departure global network protocol rule 154 of IP bag coupling that judges whether to leave the country so.More particularly, the port numbers that finds in the departure bag with each source port number in the departure global network protocol rule 154 relatively.If find the coupling between the port numbers, the result of Pi Pei global network protocol rule returns in piece 721 so, the global network agreement of promptly leaving the country Log/no Log rule, and the result of notify/no notify rule and allow/deny rule is returned.Logic finishes at piece 722 then, and does not further realize filtering departure IP bag.

On the other hand, if filter engine 78 is without any departure global network protocol rule 154, if or departure IP wraps one of the departure global network protocol rule 154 that do not match, logic enters piece 728, at this filter engine 78 source IP address of departure bag is mapped as user ID in user's mapping table 138.More particularly, filter engine 78, at the record of the source IP address that comprises the source IP address that mates departure IP bag, scanning user mapping ruler table 140.At decision block 730, filter engine 78 judges whether that such record finds.If filter engine 78 judges whether that at decision block 736 user policy collection 156 comprises any rule corresponding to the user ID of mapping.And, if the record that has in user's mapping ruler table 140 of user ID of the source IP address of packet and mapping does not find, if or user policy collection 156 do not comprise any rule of the user ID of mapping, the result of default returns at piece 732 or piece 738 respectively.In particular, go to write down this result, but refusal departure IP bag, and the action of not taking to user notification.Then, the filtration of departure bag is implemented, and logic finishes at piece 734 or piece 740.

If the source IP address and the mapping between the user ID of departure IP bag are found out, if and user policy collection 156 is included as the rule of the user ID of mapping, logic enters piece 742 to 752, and at this, departure IP envelope is filtered the user policy 156 corresponding to user ID.In this respect, filter engine judges whether that at decision block 742 IP wraps any rule in the match user rule set 156.In order to make this judgement, filter engine 78 each rule in IP bag and the user policy collection 156 of relatively leaving the country is up to finding coupling.Correspondingly, departure IP bag appears at order in the user policy collection 156 according to user policy, and each rule of the user that finds in user policy collection 156 is compared.Therefore, the IP bag will be at user's file type refusal rule 157, add agreement refusal rule 158, website rule 159, agreement allow rule 155 and this user's unknown protocol rule 153 to be compared, and the people who has general technology in this area will recognize, although, the order that user policy occurs in the user policy collection 156 depends on that filtering executive program 76 creates order, and this order can change, and this does not depart from the scope of the present invention.According to this user's file type refusal rule 157, if file extension is found in departure IP bag, file extent star is compared in the face of those file extensions of listing in the file type refusal rule 157.If there is coupling, this bag compares any sub-rule in the different user rule set 156, but the result of user's filtration types refusal rule 157 is returned at piece 744.Be the allow/deny rule, the notify/no notify rule of Log/no Log rule and filtration types refusal rule 157 is returned, and logic finishes at piece 746 then.

If the user does not have file type rule 157, perhaps between departure IP bag and file type refusal rule 157, there is not coupling, departure IP bag is compared at user's agreement refusal rule 158, more particularly, the port numbers that finds in departure IP with the port numbers in each user's the agreement refusal rule 158 relatively, up to finding coupling, if the coupling of finding, bag no longer filters by the user policy of any remainder.But, the result of agreement refusal rule, i.e. allow/deny rule, the result of Log/no Log rule and notify/no notify rule is returned at piece 744, and logic is in piece 746 end.

If find not matching to agreement refusal rule 158, the departure envelope compares this user's website rule 159, more particularly, the port numbers that finds in the IP bag and purpose IP address with in user's the website rule 159 each port numbers and purpose IP address relatively.In addition, if the coupling of discovery, at the allow/deny rule of website, the result of Log/no Log rule and notify/no notify rule is returned in piece 744, and logic finishes at piece 746.Yet possible IP wraps in the website rule 159 that do not match any one.If like this, envelope is compared user's agreement permission rule 155, and promptly the port numbers from the IP bag allows the port numbers of rule 155 to compare with each agreement.If the coupling of discovery, Log/no Log rule, the result of allow/deny rule and notify/no notify rule is returned in piece 744, and logic finishes at piece 746.

If the IP bag has met with file type refusal rule 157, agreement refusal rule 158, website rule 159 and agreement allow rule 155, and also do not find coupling, if the IP envelope is done last filtration to user's unknown protocol rule 153 and is found coupling, the result of unknown protocol rule 153 is a Log/no Log rule, and the result of allow/deny rule and notify/no notify rule returns at piece 744, and logic finishes at piece 746.

At last, if the IP bag does not match any rule defined above, logic enters piece 750, and the result of default filtering rule is returned, and promptly this bag will be rejected, but be registered, and not notify the user, and logic finishes at piece 752.

Be filtered in case the IP of interception bag is aforesaid, and return Log/noLog from filtration treatment, allow/deny, and notify/no notify result, logic piece 686 from Figure 21 enters decision block 688, and at decision block 688, whether the IP bag will be registered logic determines.In other words, whether filtration treatment is returned a record result to logic determines.If, whether collaborative Log-on-off rule has been set in piece 690 logic determines, if, at piece 692, the IP bag is stored in the record buffer of filtering in the engine 78, yet, if unregistered this IP bag of filter result, if or collaborative regular unregistered IP bag, logic jumps to piece 692, and directly enters decision block 694.

At decision block 694, whether this IP bag will be allowed to deliver to its its intended purposes to logic determines.More particularly, the logic determines filter result is to allow or refuse this IP bag.If the IP bag is rejected, whether collaborative Log-no-block rule is in decision block 696 logic determines, if, block rule because collaborative rule is only simulated, be allowed to lead to its its intended purposes ground at piece 700IP bag, and, if the result of filtration treatment is a refusal IP bag, if and the whole IP packet congestions of collaborative rule permission, IP wraps in piece 698 and is rejected and is dropped, and does not allow to lead to its its intended purposes ground.

Should be registered and/or be dropped in case judged bag, logic enters decision block 702, at this, judges the action notice user who whether takes with regard to filter engine 78 about the IP bag.More particularly, the logic determines filtering result is to have notified or do not notified the user.If filter result has been notified the user, at decision block 704, whether collaborative notification rule is to be set on to logic determines.If at piece 706 filter engines 78 notice request takes place.Yet, if if filter result does not notify user or collaborative rule to notify the user to be set to off, filter engine 78 request of not giving notice.

In case IP wraps and is filtered, and take suitable action, logic to turn back to decision block 682 by 78 pairs of IP bags of filter engine and wait for that also the other IP of interception wraps.Then, each IP to filter engine 78 interceptions wraps repeatable block 682 to 706.The people who has general technology in this area will understand, when each IP that is filtered engine 78 interception wraps when processed, filter engine 78 or registration or non-registration IP bag, or abandon or IP bag is delivered to the destination that it is wanted, the notice or do not notify the user to be taken action by filter engine 78, these depend on the system manager, and intermediate supervision person or keeper use the strategy of GUI 70 initial setting up.As below with discussed in detail, registration, the IP of interception wraps in the form that is programmed in the database 72, so that the system manager, intermediate supervision person and keeper can safeguard and check, is positioned at information and service departure request on the internet by what the user of LAN44 made.Registration function

As noted above, filter executive program 76 and open a series of registration threads, supply original registration data to them by filter engine 78.Realize that by filtering executive program 76 the used logic of these registration threads is shown in Figure 23 in more detail.Logic starts from piece 760, then enters piece 762, at this, filter executive program 76 open registration the IP bag a series of one minute clock and watch (one-minute lists) set.In particular, filter IP bag that executive program 76 begins to collect registration to change into tabulation in one minute at interval.In each one minute interim, filter executive program 76 and collect the IP bag of all registrations in the temporary buffer, when database 72 is constantly collected one fen clock and watch of IP bag, filter executive program 76 at piece 764, wait for also that affairs are loaded at interval and expire according to being provided with in the collaborative default table 110.When expiration, filter executive program 76 and be compressed in affairs and load all one fen clock and watch that interim collects, forward IP record load table 160 to, these are shown among Figure 25 A in detail.In particular, be each IP bag of collecting, filtering executive program 76 deposits a record in the IP record load table 160, comprising the time started of affairs, send the user's of IP bag or reception IP bag user ID, the source IP address of IP bag, the purpose IP address of IP bag, be stored in the port numbers in the IP bag, if it is immigration IP bag then is the data byte by the input of IP bag, if it is departure IP bag then is the data byte by the output of IP bag that filter result (is Log/no Log, allow/deny, notify/no notify) and access flag.

In case whole one minute clock and watch of IP bag have been compressed to IP record load table 160, filter executive program 76 and IP record load table is outputed to database 72, and in piece 768, open subprogram and remove analyzing IP record load table 160 at piece 771.Then, logic turns back to piece 764, and waits for that the affairs loading expires at interval.

Realize that by filtering executive program 76 databases the logic of going analyzing IP record load table 160 to change IP registration form 162 into is shown in Figure 24 in more detail.Logic starts from piece 770, then enters decision block 772, and at this, whether load table transmission mark is set up logic determines.If no, logic only repeats at piece 772, transmits mark up to load table and is provided with by filter engine 78.At this moment, in piece 774, IP record load table 160 is copied to IP registration work table 164 in the database 72.Then, IP record load table 160 is for emptying, so that it can be filtered the login thread filling that engine 78 is carried out again.

At piece 776, obtain first record in the IP registration work table 164.At piece 776, filtering executive program 76 is to carry out dns lookup corresponding to the domain name of the purpose IP address of registering bag.Be added in the website high-speed cache worksheet 166 of specified sites in IP registration work table record at piece 778, one records.This record comprises the Site ID that is identified at the record in the website high-speed cache worksheet 166, the purpose IP address of the domain name of website and website.At piece 782, be added to Site ID that website high-speed cache worksheet 166 newly adds record and be added in the corresponding IP registration work record of bag of registration.

Logic enters decision block 784 then, and it judges whether that the user ID in IP registration work record stored name cache table 176 at this.If user ID has been stored name cache worksheet 168, the user corresponding to user ID has attempted to transmit the IP bag so, and that IP bag is logged.If not this situation, a record is added to name cache worksheet 168.This record comprises that sign is added the name ID of record, user ID, the user login name that uses user ID in subscriber's meter 118, from user's record, to fetch, and the source IP address of IP bag, this should be the IP address of computer, and the user signs in to this computer, and the user sends these bags therefrom, at piece 788, the name ID that just has been added to record in the name cache worksheet 166 is stored in the corresponding IP registration work record.And, if in decision block 784, user ID in IP registration work record is not also stored name cache table 176, and the name ID from the respective record of the user in the name cache table 176 is stored in the IP registration work record at piece 789.

If if user ID is deposited the name cache worksheet or suitable name ID record has stored corresponding IP registration work record.Logic enters decision block 790, at this, judges whether that the port numbers in the IP registration work record has been stored protocol cache table 172.If not, used this characteristics port, and therefore the IP bag of use agreement is not registered.Therefore, be added to protocol cache worksheet 170 at piece 792, a record, it comprises that sign adds the port id of record and the agreement name of port numbers and agreement recently.In piece 794, the name ID that just has been added to the record of protocol cache worksheet 170 is stored in the corresponding IP registration work record.And if at decision block 790, IP registration work record middle-end slogan has stored protocol cache table 172, at piece 791, is stored in the IP registration work record from the port id of the respective record of agreement in the protocol cache table 170.

In case IP registration work record is aforesaid processed, logic enters decision block 796, judges whether that at this last record in IP registration work table 164 is processed.If not, the next record in the IP registration work table 164 obtains in piece 798, and to next record repeatable block 776 to 796.Then, to each the record repeatable block 776 to 798 in the IP registration work table 164.When last record processed, logic enters piece 800, at this, IP registration work table 164, name cache worksheet 168, website high-speed cache worksheet 166 and protocol cache worksheet 170 are compressed into corresponding IP record sheet 162 respectively, protocol cache table 172, website cache tables 174 and name cache table 176.Record in each worksheet is deleted then, and logic finishes at piece 802 then.

Be generated in case the people who has a general technology in database field will be familiar with the IP record and cache tables is aforesaid, these show various other database functions are comprised data base administration that it is available that the database report function will become.In the described here current implementing example of the present invention, system manager, intermediate supervision person and manage person have the option that uses IP record and cache tables to prepare various report.For realizing these functions, the operator selects report option toolbar button 71 in main window 84.Yet the report option will not describe in detail at this because they are traditional methods, and for openly describe embodiment that the present invention carries out undebatable they.

In case IP record 162 has been created, database 72 can calculate quota and break rules.As noted above, about filtering executive program 76, one of function of filtering executive program 76 is that opening breaks rules by norm calculates when the interval expires at the fixed time.In the current implementing example of the present invention described herein, predetermined time interval is 24 hours.Therefore, database 72 calculates the quota fault once a day.Detailed being presented among Figure 26 of logic that the calculating that is realized by database breaks rules by norm.

Logic starts from piece 804 among Figure 26, and then enters piece 806.At piece 806, database 72 is at first name ID, i.e. first user-dependent all records, and scans I P record sheet 162, the time started that it has drops in last 24 hours periods.At piece 808, calculated from the immigration and the professional total amount of departure IP bag of relative users, as the byte input field and the byte output word segment value sum that are stored in all this records.At decision block 810, the total amount whether logic determines is calculated is greater than the current quota of this user of storage in user's rating form 125.The current quota that is appreciated that the user is arranged in user's rating form, by using the name ID of user in the IP record sheet 162, as index point name cache table 166, identifies the user ID corresponding to name ID.Then, user ID is used as index and enters user's rating form, goes to seek the user record that comprises current quota.If calculated value is not more than current quota, break rules so and do not take place, logic only enters decision block 816, judges whether that at this last user is processed in IP record sheet 162.Yet, if calculated value greater than user's current quota, a record is added to quota fault table 186, it comprises user's name ID, the date of fault, user's current quota, and this calculated value.

Then, logic is gone to decision block 816, at this, judges whether that end user is processed in the IP record sheet 162.If not, scan database is with the IP record sheet 162 of all relevant records of next name ID (promptly with next user-dependent all records), and the time started that it has drops in last 24 hours periods.Then, in IP record sheet 162, having each user's repeatable block 808 to 818 of any record.Therefore, to each user that quota breaks rules, a record will be added in the quota fault table 168 that is stored in the database 72.Then, logic finishes at piece 820.

As noted above about filtering executive program 76, be to open the notice thread by filtering one of function that executive program 76 realizes, the logic that the notice thread is realized is presented among Figure 27 in more detail.Logic starts from piece 822, and enters piece 824, is received in this request that judges whether filter engine 78 its user policy couplings of notice relative users.If this request is not received, logic only repeats at piece 824, is received up to this request.If notice request receives from filter engine 78, an inquiry is sent to the name Service manager 74 corresponding to the computer name of user's source IP address.As what below will be described in detail, the main mapping table 178 of the current map information of name Service manager 74 maintenance trails.Filter the map information that executive program 76 is asked if name Service manager 74 has, it will return to computer name and filter executive program 76.Therefore, at decision block 828, whether computer name receives from name Service manager 74 logic determines.If not, then do not have the current map information of this user to computer, notification message can not be sent.Therefore, logic finishes at piece 830.Yet, if name Service manager 74 for this reason the user return a computer name, filter executive program 76 and transmit this notice request to GUI.GUI then produces suitable message.Logic turns back to piece 824 then, and each the notice request repeatable block 824 to 832 to receiving from filter engine 78.Upgrade network mapping information

Since to GUI 70, rule and registered database 72 filter executive program 76 and filter engine 78 and have done comprehensive narration, and existing name Service manager 74 will be described in detail.Yet, will be understood that, name Service manager 74 also is disclosed in the people's such as Abraham of general transfer Application No.---, exercise question is " Method and apparatus for resolvingNetwork Users to Network computers ", and disclosed content and accompanying drawing draw specially and be reference.

As above discuss, the filtration executive program that serves as the name Service agency receives map information, serves as the name Service proxy role.In this respect, filter executive program 76 and periodically send static subscriber's mapping table 138 to name Service manager 74.Name Service manager 74 usefulness map informations upgrade its main mapping table 138, and to filtering the map information that executive program 76 returns renewal.Use as name Service, filtering executive program 76 also handles by user's mapping table 138 renewal map informations, and it is delivered to filtration draw sincere 78, in particular, name Service manager 74 notification filter executive programs, the computer user of the LAN44 of interconnected formation has logined or has withdrawed from certain computer.Then, filter executive program 76 this information is delivered to filter engine 78, so that the IP bag that filter engine uses the most current map information to filter into and go out is professional.Therefore, if the user of LAN44 logins or when withdrawing from LAN, notified immediately and therefore filter engine 78 will will correspondingly begin or stop to filter the IP bag.In addition, if the IP address modification of the computer of the current just usefulness of user, filter engine 78 will be according to new IP address rather than old out-of-date IP address filtering IP bag.

As shown in Figure 4, name server manager 74 receives map information from filtering executive program, serves as the name server proxy role.In this respect, filter the static father that executive program 76 is called as map information, give because computer is composed by system manager and intermediate supervision person's static state to user's mapping, and be maintained in as mentioned above in static subscriber's mapping table 138.Filter executive program 76 and periodically send user's mapping table 138 with the form of affairs container 184 to name Service manager 74, these will describe in detail below.Each record of static subscriber's mapping table 138 will comprise that the login in the affairs container 184 that comprises user ID upgrades transaction journal 183, user login name, and the user composes to the computer name of computer and user and composes IP address to the computer of computer.

Name Service manager 74 also can act on behalf of 75 or receive map informations from the master agent 77 that is positioned on the domain controller server 60 from domain controller.As noted above, domain controller agency 75 collects dynamic subscriber's login and withdraws from information, and promptly the update calculation machine arrives user's mapping, and those information are sent to name Service manager 74.On the other hand, master agent 75, the mapping of IP address to computer promptly upgraded in the renewal of collection IP address, and this information is offered name Service manager 74.Because domain controller agency 75 and master agent 77 all provide dynamic or variable map information, these two kinds of agencies are called the dynamic source of name information.

Collect by name Service agency, promptly filter executive program 76 and domain controller agency 75 or master agent 77, and the map information that offers name Service manager 74 is by name Service manager 74 maintenance host mapping tables 178.Main mapping table 178 is shown in Figure 28 A in more detail.Main mapping table 178 is made up of a large amount of records, comprises the map information of every computer linking LAN44.More particularly, each record comprises the field of storing computer name, composes the IP address of giving computer name, the complete qualified domain name of the user login name of the computer of current utilization and computer.In addition, record comprises a login mark, when it is provided with, represents that the user who identifies by login name signs in on the computer that identifies in record in record.In addition, provide the static father mark, be included in the static father of map information by this information in the record, promptly filtered executive program 76 and offered name Service manager 74 when it is provided with expression.If be provided with, the map information that the static father mark is represented to be included in the record is provided by dynamic source, and promptly name Service is acted on behalf of it dynamic or variable name information on services such as domain name control agent 75 or master agent 77 are provided.At last, each record comprises a usage flag, is a record that activates when it is provided with this record of expression, therefore can serve and filter executive program 76.

Name Service manager 74 is from filtering executive program 76 and domain controller agency 76 or master agent 77 receives map informations, and a map information that upgrades turned back to filters executive program 76, plays the application program effect of affairs container 184 forms shown in Figure 28 B.Affairs container 184 comprises the leader 185 of following zero or more transaction journal 183.The type of the affairs that leader 185 signs are just being carried out.For example, if affairs container 55 comprises the renewal map information at main mapping table 178, leader will identify affairs container 184 for upgrading container, and the leader back is followed and comprised a large amount of transaction journals 183 of upgrading map information.Each transaction journal 183 also is designated the user and logins more new record, and the user withdraws from more new record, and the current address is new record more, or depends on the previous address renewal record of the renewal map information of transaction journal container.Last transaction journal in affairs container 184 is null record, the end of transaction journal in the expression affairs container 184.

In some cases, affairs container 184 can comprise the information except that upgrading map information, more particularly, affairs container 184 can comprise or from name Service agency or 75 or 77 or the request that comes inherent filtration executive program 76 to register the agency or use to name Service manager 74.In this case, the leader 185 sign affairs containers of affairs container 184 are as the name Service agency or use the registration container whichever, and affairs container 184 does not comprise any transaction journal 183.As what below will describe in detail, when name Service manager 74 from acting on behalf of 75 or 77, during perhaps from filtration executive program 76 reception registration containers, name Service manager 74 is opened with the communication that replaces or filter executive program 76, and begin to receive affairs container 184, and affairs container 184 is delivered to filtration executive program 76 from acting on behalf of 75 or 77.

Similarly, affairs container 184 can comprise or from

name Service agency

75 or 77, perhaps comes the inherent filtration executive program unregistered and close communication with name service managerZ-HU 74.In this case, the leader 185 sign affairs containers of container 184 are unregistered container, but the affairs container does not comprise any transaction journal 183.

At last, master agent 77, domain controller agency 75 or filtration executive program 76 can be inquired name Service manager 74, about the map information of particular network user or network computer.Therefore, agency or filtration executive program send the affairs container 184 that is designated the inquiry container in the leader 185 to name Service manager 74.In addition, leader 185 comprises user's login name, he is acted on behalf of or filter executive program 76 seek map information for him, perhaps the IP address or the computer name of computer, it is acted on behalf of or filter executive program 76 is being that it seeks map information, as what below will describe in detail, name Service manager 74 will return the corresponding map information that finds in main mapping table 178.The inquiry container does not comprise any transaction journal.

The main affairs container of realizing by name Service manager 74 184 that receives from the name Service agency of handling, and an affairs container 184 that comprises map information is sent to the logic of filtering executive program 76 is shown in Figure 29 A and 29B.Logic starts from piece 834 among Figure 29 A, and enters piece 836, and at this, logic determines whether affairs container 184 is promptly served as agency's filtration executive program 76 from one of name Service agency, or whichever the receiving of domain controller agency 75 or master agent 77.If the result of decision block 836 is negative, 836 of pieces are repeated, and receive affairs container 184 up to name Service manager 74, in case receive affairs container 184, logic is gone to decision block 838, and at this, it judges whether that affairs container 184 comprises the register requirement from the name Service agency.If logic enters piece 840, at this, name Service manager 74 is opened the contact with request name Service agency, sends name Service to the form of affairs container 184 and acts on behalf of an initial message.And be this name Service of map information Login agency, be appreciated that filtering executive program 76 is registered and is the static information source, and domain controller agency 75 and master agent 77 are registered and are the dynamic source of the map information of name service managerZ-HU.

Figure 30 has described the logic that is realized by domain controller agency 75 or master agent 77 when sending register requirement to name Service manager 74.Logic starts from piece 888 among Figure 30, and enters decision block 890, judges whether that this name Service agency affairs container 184 receives from name Service manager 74.Be not received if there is such affairs container, decision block 890 is just repeated by the name Service agency, up to receiving affairs container 184 from name Service manager 74.When this occurred, logic entered decision block 892, and at this, the name Service agency judges whether that affairs container 184 comprises the initial message from name Service manager 74.If the name Service agency implements the initial state generator at piece 894, begins to collect the map information about the computer of linking LAN44.

In case commissary initial state generator is called, name Service agency's current state generator is called, and the name Service agency is set to init state at piece 896, then, logic is got back to decision block 890, at this, the name Service agent waits is from another affairs container 184 of name Service manager 74.

Initial state generator that calls respectively in

piece

276 and 278 and current state generator depend on concrete name Service agency, i.e. domain controller agency 75 or master agent 77.Though described herein have only domain controller agency 75 and master agent 77.The people who has general technology in this area will recognize that the present invention can use the agency of other type, and domain controller agency 75 and master controller agency 77 are this name Service agency's illustrative example.Initial sum current state generator about domain controller agency 75 and master agent 77 is described further below.

Figure 31 has illustrated domain controller agency 75 the used logic of initial state generator.Logic starts from piece 904, and enters piece 906, and at this, the domain controller agency is from the initial table of domain controller server 60 acquisition computers, and these computers are in the current sessions phase of LAN44, and have the user to login wherein.At piece 908, domain controller agency 75 carries out the NETBIOS inquiry, to obtain the IP address of every computer in the initial table.The people who has general technology in this field will recognize, NETBIOS is application programming interfaces, by the distribution of computer to the IP address, so that other application program to be provided, and handle the desired low level network service of session between the computer that is connected on the LAN44 with request with consistent command set, so that these computers can be by Data transmission before and after the LAN44.

In case the IP address of every the computer that identifies in initial table obtains from the NETBIOS application programming interfaces, domain controller agency 75 begins to prepare to send to the affairs container 184 of name Service manager 74, in this respect, and domain controller agency 75 be that affairs container 184 store leader 185 sign affairs containers 184 conduct renewal affairs containers in output queue at piece 910.At piece 912, domain controller agency 75 is that every computer generates transaction journal in the initial table, and each transaction journal is identified as logins more new record, and it comprises domain name, computer name, and the IP address of computer, and the login name of the computer of the current use of user.Then, each logon transaction record deposits output queue at piece 914 in affairs container header.At piece 916, output queue outputs to name Service manager 74 to affairs container 184.Logic finishes at piece 918 then.As what below will describe in detail, when receiving affairs container 184, name Service manager 74 will upgrade main mapping table 178 with being stored in the map information of logining in the new record more, and from main mapping table 178 map informations that upgrade be offered and to serve as the filtration executive program 76 that name Service is used.

The logic that is realized by domain controller agency 75 current state generator is shown in Figure 32.Logic starts from piece 920, then enters decision block 186, and at this, domain controller agency 75 judges whether it is to obtain to link the time that LAN44 goes up the current sessions state of computer.The people who has general technology in the art will recognize that domain controller agency 75 will periodically obtain the current sessions state of LAN44, and the time cycle of doing like this is variable.If the result of decision block 186 is negative, 186 repetitions of decision block are up to arriving this time.Arrive when the time one, logic enters piece 924, at this, and the current computer table that domain controller agency 75 obtains with the LAN44 active session, and the user advances these computers from 60 logins of domain controller server.At piece 926, territory control device agency 75 prepares to identify the active computer and the combination table of inertia computer recently recently by the previous table of the current table of active computer with active computer compared.

The people who has general technology in this area will understand, and during the current state generator repeated for the first time, the previous table of active computer was actually the initial table that is obtained being used for the active computer of territory control agent 75 by the initial state generator.When the current state generator repeated continuously, the previous table of active computer was actually in before the repeating of current state generator and is obtained by domain controller agency 75, and registered to the hotlist on the computer.By comparison to the previous table of the current table of active computer and active computer, since being acquired from last session status, domain controller agency 75 identifications set up those computers of active session with LAN44, be listed those computers of user, reach those computers that the user withdraws from.More particularly, if a computer appears in the current table of active computer, but do not appear in the previous table of active computer, this computer of sign is movable recently in combination table, similarly, if computer appears in the previous table of active computer, but do not appear in the current table, since being acquired from last session status, this computer has finished the session with LAN44, therefore is identified as inertia computer recently in combination table.

Combination table is after piece 926 is ready, and domain controller agency 75 carries out the NETBIOS inquiry, with the IP address of every computer identifying in the combination table of obtaining piece 928.At piece 930, domain controller agency 75 begins to prepare to be sent to name, and the affairs container 184 of service managerZ-HU 74 is to upgrade the leader 185 of container in domain controller agency's output queue by storage sign affairs container.Then, domain controller is acted on behalf of 75 treatment combination tables, so that transaction journal 183 is added to affairs container 184.

In this respect, at piece 932 domain controllers agency 75 first computers that obtain in combination table, identifying.At piece 934, domain controller agency 75 generates transaction journal 183, comprising domain name, and computer name, the IP address of computer, and compose the user login name of giving computer.At decision block 936, domain controller agency 75 judges whether that computer is an active computer recently.If, domain controller agency 75 sign transaction journals 183, as logining more new record, and in piece 938, more new record is logined in storage in output queue.Otherwise domain controller agency 75 sign transaction journals 183 are as withdrawing from more new record, and then at piece 940, more new record is withdrawed from storage in output queue.Finally, logic is gone to decision block 942, and at this, domain controller agency 75 judges whether that last computer is processed in combination table.If do not handle, in piece 944, obtain next computer in the combination table.To every in combination table computer repeatable block 934 to 946,, act on behalf of 75 output queue thereby store domain controller so that logon transaction writes down or withdraws from transaction journal and stored affairs container 184.

Last computer is processed in combination table, and at piece 946, output queue outputs to name Service manager 74 to affairs container 184.Then, the current table of the active computer that obtains at piece 924 is stored, and as the previous table of active computer, and logic turns back to decision block 186 in piece 948, and at this, domain controller agency 75 waits for the next current sessions state that obtains.Then, to each the current sessions state that obtains, domain controller is acted on behalf of 66 repeatable blocks 186 to 948.Therefore, domain controller agency 66 will continue to generate and send to comprise and login and withdraw from more that the affairs container 184 of new record is for further processing when name Service manager 74 gets access to each new session state with box lunch.

As what point out above, master agent 77 is used among some embodiment of the present invention, rather than domain controller agency 75.Particularly, being used of master agent 75 prevents to change the mapping of computer to the user, gives to the tax of computer but allow to change the IP address.In this respect, master agent 77 is collected the renewal of IP address.The logic that is realized by the initial state generator of master agent 77 is shown in Figure 33 in more detail.Logic starts from piece 950, then enters piece 952, and at this, master agent 77 obtains initial table (but not needing the user to login) with the computer of LAN44 active session from domain controller server 60.The people who has general technology in this area will understand, the initial table that obtains with the initial state generator of master agent 77 will be very similar to the initial table that the initial state generator with domain controller agency 75 obtains, because two kinds of agencies obtain information from domain controller server 60.Therefore, if master agent 77 is positioned on the webserver 30 or other server of linking LAN44, the initial table that is obtained by master agent may be some difference.

In case obtain initial table by master agent 77, master agent 77 is carried out the NETBIOS inquiry at piece 954, and every the computer that identifies in initial table is inquired its IP address.At piece 956, the leader of master agent 77 storage affairs containers 184 is in the output queue of master agent 77, this affairs container 184 will be delivered to name Service manager 74 by master agent 77, then, every the computer that identifies in 77 pairs of initial tables of piece 958 master agents produces a transaction journal 183, and each such record stored in the output queue, follow the leader of affairs container 184, each transaction journal 183 by master agent 77 generations and storage is identified as more new record of current address, because inquire that by NETBIOS the IP address of returning is counted as the new address of its correlation computer.At piece 960, the output of the output queue of master agent 77 is included in the leader that piece 325 produces, and last transaction journal 183 affairs container 184 that current address conversion record and indication container finish are to name Service manager 74.Affairs container 184 also will comprise last transaction journal that sign affairs container finishes.Logic finishes at piece 962 then.

As noted above, after the initial state generator of master agent 77 was called, the current state generator of master agent 77 was called.The logic that is realized by the current state generator of master agent 77 is illustrated in greater detail in Figure 34 A and 34B.Logic starts from piece 964 among Figure 34 A, then enters decision block 966, judges whether it is the time of obtaining the current sessions state of the computer that is linked on the LAN44 at this.If not, decision block 966 is repeated until that this time arrives.When the time that the current sessions state is obtained in arrival, logic is gone to piece 968 from decision block 966, and at this, master agent 77 obtains the current table of the active computer that is linked to LAN44.At piece 970, master agent 77 is carried out the NETBIOS inquiry, goes to obtain the IP address of each computer of sign in the current list.At piece 972, master agent 77 is prepared a finishing table, identifies active computer recently, recently inertia computer and have the active computer of new IP address.The current table of the table of this finishing by the active computer that obtains in the comparison block 968 is prepared with the previous table of active computer.The people who has general technology in this area will understand, during the current state generator repeats for the first time, the previous table of active computer is actually the initial table that the initial state generator by master agent 77 obtains, and during the follow-up repetition of current state generator, the active computer table that in fact the previous table of active computer is obtained by master agent 77 in before the repeating of current state generator.Recently active computer only appears in the current table, and inertia computer recently only appears in the previous table.Computer with new IP address appears in these two kinds of tables.And be different corresponding to the IP address of these computer names.

In case finishing table is at piece 972, be ready to by the current state generator of master agent 77, in the leader of piece 974 master agents 77 storage affairs containers 184 output queue, identify this affairs container and be renewal affairs containers to master agent.Then, at the piece 976 shown in Figure 34 B, master agent 77 obtains next computer in the finishing table.At decision block 978, master agent 77 judges whether that this computer is an active computer recently.If, piece 980 master agents 77 generate and storage transaction journal 183 to output queue, follow after the leader 185 of affairs container 184 and comprise the map information of active computer recently in the transaction journals 183.Transaction journal 183 is identified as the current address and upgrades, and it comprises the computer name and the IP address of active computer recently.

Turn back to decision block 978, if the computer that identifies in the finishing table is not an active computer recently, logic enters decision block 982, at this, master agent 77 judges whether that computer is an inertia computer recently, promptly whether since obtain the current sessions state at last, computer has finished its active session with LAN44.If computer is an inertia computer recently, master agent 77 generates and storage transaction journal 183 in comprising the output queue of inertia computer map information recently.Transaction journal 183 is identified as previous address and upgrades, and comprises the old IP address of computer and the computer name of computer.

Return decision block 982, if the computer of just handling is not movable or inactive recently recently, logic enters decision block 986, at this, master agent 77 judges whether that the new IP address of computer is assigned to, if, master agent 77 generates in output queue and stores 2 different transaction journals 183 at piece 988, first transaction journal 183 is identified as previous address and upgrades, it comprises computer IP address in the past, and the login name of the Any user of computer is given in its computer name and domain name and tax.Second transaction journal 183 is identified as the current address renewal and comprises the new IP address of computer and its computer name.

Turn back to decision block 986, if computer does not have new IP address, if or the transaction journal 183 of computer generated and be stored in the output queue as described above, logic enters decision block 990, and master agent 77 judges whether that last computer is processed in the finishing table.If do not have, obtain next computer in the finishing table at piece 249, logic turns back to decision block 978, so that handle next computer, and, if last computer is processed in the finishing table, logic will enter piece 994 from piece 990, at this, the output queue output of master agent 77 comprises leader, and the affairs container 184 of transaction journal gives name Service manager 74, and transaction journal is stored in the output queue together with empty transaction journal, and empty transaction journal represents that affairs container 184 finishes.At piece 996, the current sessions table is stored as previous conversational list, and logic turns back to decision block 966 in Figure 34, so that master agent 77 can judge whether it is the time of obtaining the current sessions state again.Then, piece 966-996 is repeated by each current sessions state that 77 pairs of master agents obtain.Therefore, master agent 77 will produce continuously and send and comprise the affairs container 184 that current and previous address upgrades record to name Service manager 74, when obtaining each new session state to be for further processing.

Return Figure 30, in case the specific initial or current state generator of name Service agency has been called at

piece

894 and 896, logic turns back to decision block 890, and at this, the name Service agent waits is from another affairs container 184 of name Service manager 74.If affairs container 184 is received, it does not comprise the initial message from name Service manager 74.Logic is gone to decision block 898 from decision block 892, and at this, the affairs container 184 whether logic determines is received by the name Service agency comprises close message.If the agency stops its current state generator in piece 900 name Service, and oneself is set to the state of no initializtion.Then, logic is returned decision block 890 and another affairs container 184 of name Service agent waits.And, if affairs container 184 is received by the name Service agency, not comprising initial message or close message, logic will enter piece 902 through

decision block

892 and 898, and at this, a communication event of not expecting is by the name Service proxy records.Write down do not expect communication event after, at another affairs container 184 of decision block 890 name Service agent waits.

Be appreciated that when filtering executive program 76 and serve as name when acting on behalf of, described above the logic class that is realized is similar in conjunction with Figure 30, except receiving initial message with the rear section.Filter 76 of executive programs and self be provided with and be initialised, and with static subscriber's mapping table 138, send to name Service manager 74 with the form of affairs container 184.Similarly, according to the close message of receiving from the name Service manager, filtration executive program 76 does not allow any such affairs container 184 transmission and oneself is set to not be initialised.

Return the piece 840 among Figure 29 A, in case name Service manager 74 has been realized the name Service agency, promptly filter executive program 76, the registration of domain controller agency 75 or master agent 77, make the name Service agency can begin to collect map information, and map information is sent to name Service manager 74, logic turns back to decision block 836, at this, the name Service manager is waited for from the other affairs container 184 that filters executive program 76 or domain controller agency 75 or master agent 77 any situations and is turned back to decision block 838, if affairs container 184 has been received, but do not comprise the name Service proxy registration request, in piece 842, whether affairs container 184 comprises name Service application register requirement to logic determines.If logic is gone to piece 844, at this, name Service manager 74 is opened and is filtered communicating by letter of executive program 76, the affairs container 184 that comprises initial message is delivered to filtered executive program 76, and executive program is filtered in registration.

Realize going to register by name Service manager 74 and filter executive program and serve as the logic that name Service uses and be shown in Figure 35 in more detail.The people who has general technology in this area will understand, and name Service manager 74 may begin to collect and safeguard map information before it receives the register requirement of filtering executive program 76.Therefore, according to registration, any map information that needs name Service manager 74 it to be collected and has been stored in the main mapping table 178 sends to filtration executive program 76.In this respect, logic starts from the piece 998 among Figure 35, and enters piece 1000, at this, and any renewal that name Service manager 74 interrupts main mapping table 178.At piece 1002, name Service manager 74 produces the temporary copy of main mapping table 178.Respectively in piece 1004 and 1006, the output queue of its any transaction journal 183 of name Service manager 74 emptyings, and stop output queue and send any affairs container 184 to filtering executive program 76.Then, at piece 1008, name Service manager 74 allows to upgrade main mapping table 178 again.At piece 1010, name Service manager 74 outputs to the affairs container 184 that is included in all activation record that find in the temporary copy of main mapping table and filters executive program 76.More specifically, name Service manager 74 output comprises leader 185 and has the affairs container 184 of the whole records in the temporary copy of the main mapping table that is set up the in-use mark.At last, at piece 1012, name Service manager 74 allows output queue that affairs container 184 is outputed to again and filters executive program 76.Then, logic finishes at piece 1014.

Turn back to the piece 844 among Figure 29 A, in case name Service manager 74 aforesaid registered filtration executive programs 76, and open with the communication of filtering executive program 76, name Service manager 74 can begin by rule affairs container 184 to be sent to filtration executive program 76.Realize that by filtering executive program 76 the be engaged in logic of container 184 of place to go directors is shown in Figure 36 in more detail.Logic starts from piece 1016 among Figure 36, and enters decision block 1018, and at this, it judges whether to filter executive program 76 and receives affairs container 184 from name Service manager 74.If no, decision block 1018 just repeats, and is received up to affairs container 184.When this situation appearance, logic is gone to decision block 1020, at this, filters executive program 76 and judges whether that affairs container 184 comprises the initial message from name Service manager 74.If filter executive program 76 and oneself be set to be initialised at piece 1022.Then, logic turns back to decision block 1018, at this, filters its affairs container 184 that executive program 76 is waited for from name Service manager 74.

Turn back to decision block 1020, if the affairs container 184 that receives from name Service manager 74 does not comprise initial message, logic is gone to decision block 1024, at this, judges whether that affairs container 184 comprises the close message from the name Service manager.If filter executive program 76 at piece 1026 and oneself be set to no initializtion, and stop to transmit map information to name Service manager 74.Then, logic is returned decision block 1018, at this, and the other affairs container 184 that filter 76 is waited for from name Service manager 74.

Turn back to decision block 1024, if the affairs container 184 that receives comprises neither initial message, neither close message, logic enters decision block 1028, and at this, it judges whether that affairs container 184 is to upgrade container.If not, filter the affairs container incident of executive program 76 protocol failure in piece 1030, and return decision block 1018 and remove to wait for other affairs container 184.If the affairs container 184 that receives is renewal containers, logic enters piece 1032, and obtains first transaction journal 183 in the affairs container 184.At decision block 1034, logic determines whether transaction journal 183 is last transaction journal in the affairs container.If logic is returned decision block 1018, and filter executive program 76 and wait for other affairs container 184.If transaction journal 183 is not last transaction journal in the affairs container 184, logic judges whether that at decision block 1036 transaction journal is to login more new record.Filter engine 78 if the user has signed in to the computer of linking on the LAN44, and must be updated, so that can begin to filter subscriber-related therewith IP bag by user's mapping ruler table 140 of filter engine 78 storage.In this respect, filter executive program 76 and generate and send and login more new record and give filter engine, comprising user ID and user's login name and source IP address, the computer name of the computer that in transaction journal 183, finds and domain name.In addition, the login that sends to filter engine more new record comprise the alternative acts mark and the user be set and logined mark.

And, if be to withdraw from more new record, rather than login more new record from the transaction journal 183 of the affairs container 184 that receives, filter executive programs 76 at piece 1038 and prepare and send one to withdraw from record to filter engine.Withdraw from the login name that record comprises user ID and user, source IP address, the computer name of computer and domain name and deletion action mark.In addition, withdrawing from user in the record has logined mark and has been eliminated.

Filtering executive program 76 suitable login or after withdrawing from record and delivering to filter engine 78, logic enters piece 1042,, filter executive program 76 and obtain next transaction journal from the affairs container 184 of name Service manager 74 receptions at this.Then, to each transaction journal 183 repeatable block 1034 to 1042 in the affairs container 184 that receives.Be appreciated that, when filtering engine 78 according to from filtering the login that executive program 76 receives and withdraw from record when upgrading its user's mapping ruler table 140, filter engine 78 will correspondingly begin or stop to filter IP and wrap to calculating to shine upon to user's mapping or IP address according to new computer.

Turn back to piece 844 among Figure 29 A.In case 74 registrations of name Service manager are filtered executive program 76 and are used as name Service, and open with the communication of filtering executive program 76.Make it to receive and processing transactions container 184.Logic is returned Decision Block 836, and name Service manager 74 is waited for other affairs container 184.

Turn back to decision block 842, if the affairs container 184 that receives does not comprise proxy registration request or application register requirement, logic enters decision block 846, and at this, it judges whether that affairs container 184 comprises that the name Service agency cancels register requirement.If name Service agency forms request, promptly filter executive program 76 or domain controller agency 75 or master agent 77 no matter the sort of situation can, no longer to be that map information is collected and sent to name service managerZ-HU 74.Therefore, cancel registration and close communication with the name service broker at piece 848 name Service managers 74, logic is returned decision block 836 and name Service manager 74 and is waited for other affairs container 184 then.

Return decision block 846, if the affairs container 184 that is received does not comprise proxy registration request, use register requirement or agency and cancel register requirement, logic enters decision block 850, judge whether that at this affairs container 184 comprises the name Service application and cancels register requirement, promptly from filtering the register requirement of cancelling of executive program 76.If filter executive program 76 and no longer wish to receive map information from name Service manager 74.Therefore, name Service manager 74 is cancelled registration, and closes with the communication of filtering executive program 76 at piece 848.Then, logic is returned decision block 836, and name Service manager 74 is waited for other affairs container 184.

Turn back to decision block 850, if the affairs container 184 that receives does not comprise proxy registration request, use register requirement, the agency cancels register requirement, or use and cancel register requirement, logic enters decision block 854, judges whether that at this affairs container 184 comprises from the inquiry of the map information of name Service agency or filtration executive program 76.If logic enters decision block 856, judge whether to comprise the record of map information with request by the mapping table 178 that name Service manager 74 is safeguarded at this.For example, if filter the map information that executive program 76 is just being sought the specific user, it is computer name, domain name and compose to give specific user's IP address, name Service manager 74 judge whether that in piece 856 main mapping table 178 comprises the record that has with used or act on behalf of the identical login name of the login name that provides in the leader 185 of affairs device 184 by inquiry.If name Service manager 74 returns a record at piece 858 and gives filtration executive program 76.Similarly, if filter the map information that executive program 76 is being sought certain computer, name Service manager 74 judges whether to be included in the main mapping table 178 in the leader 185 of affairs container 184 at decision block 856, by the record with same computer address or IP address that inquiry is used or the agency provides.If name Service manager 74 turns back to the filtration executive program to record at piece 858.And, if in both cases, in main mapping table 178, there is not this record to be found, name Service manager 74 returns an invalid record at piece 860 and gives request broker or filter executive program.Then, logic turns back to decision block 836, and name Service manager 74 is waited for other affairs container 184.

Turn back to decision block 854, if the affairs container 184 that receives does not comprise inquiry, register requirement or cancel register requirement, name Service manager 74 judges whether that affairs container 184 is one to upgrade container.If not, the name Service manager has been received at piece 131 protocol failure affairs containers 184.Because the container that is received does not comprise any registration or cancels register requirement, inquiry or renewal.Then, logic is returned the decision block 836 among Figure 29 A, and name Service manager 74 is waited for other affairs container 184.

On the other hand, if the affairs container 184 that is received by the name Service manager is one to upgrade container, obtain first transaction journal 183 in the container by name Service manager 74 at piece 864.At decision block 866, name Service manager 74 judges whether that this record is last record in the affairs container 184.If the processing of affairs container 184 is done, and logic returns the decision block 836 among Figure 29 A, otherwise logic enters decision block 868, and the name Service manager judges whether that transaction journal is that record is upgraded in previous address.If logic enters piece 870, at this, name Service manager 74 is handled more new record of previous address, and record is upgraded in previous address, comprises old IP address and computer name, but formerly the address more domain name and the login name in the new record be not need effectively.

Going to handle the used logic of previous address renewal record by name Service manager 74 is presented among Figure 37 in detail.Logic starts from piece 1044, then enter piece 1046, at this, name Service manager 74 has the record of previous computer name at sign in the transaction journal of address renewal formerly, scan main mapping table 178, at decision block 1048, whether logic determines finds the record in the main mapping table 178 with same computer name.If not, be added to main mapping table 178 at 1050 records of piece, it comprises previous computer name and invalid IP address.Listed mark, being marked in the record that is added recently in static father mark and the use is eliminated.In main mapping table 178, find previous address to upgrade after the record with previous computer name of sign in the record, or after record is added to main mapping table 178, if there is not this record found, logic enters decision block 1052, and name Service manager 74 wherein judges whether that having logined mark in the main map record that just adds or find in main mapping table 178 is set up.In other words name Service manager 74 judges whether that a user is logged in the computer by the record identification of main mapping table 178.

Be appreciated that, if upgrading transaction journal, previous address received by name Service manager 74, name Service manager 74 must upgrade main mapping table 178 is linked to the computer of LAN44 with reflection IP address and go beyond the scope, promptly because of one or more reasons, no longer to upgrade the IP address of finding in the record relevant with previous address for computer, and, if main mapping table 178 indications, the user has been logged to compose and has given on the computer of previous IP address, the user withdraws from the computer that is on the previous IP address before must can being updated at the map record of main mapping table 178.Therefore, if the result of decision block 1052 just is, mark of login and static father mark that name Service manager 74 is removed in the position the record of piece 1054 main mapping tables.At piece 1056, the name Service manager generates and storage is identified as transaction journal in the name Service manager output queue that withdraws from new record more.Withdraw from more that new record comprises computer name, domain name and Computer IP address that in main map record, identifies and user's login name.

Turn back to decision block 1052, be not set up if logined mark in the main map record that retrieves, if or it once be set up, and generated the suitable transaction journal of withdrawing from, logic enters piece 1058 from decision block 1052.At piece 1058, name Service manager 74 upgrades main mapping table 178, correctly to reflect the IP address of off-limits computer.More particularly, an invalid IP address is stored in the IP address field of the main map record that retrieves.Simultaneously, domain name and login name field are cleared.In addition, login static father and be eliminated in usage flag.Then, logic finishes at piece 1062.

Be appreciated that because transaction journal 183 is added in the output queue of name Service manager output queue is given the transaction journal 183 of output transactions container 184 forms and filtered executive program 76.In the illustrated embodiment of the present invention, filter 76 of executive programs to login with withdraw from registration updating, the output queue of name Service manager will be sent to and filter executive program 76 only comprising login and exporting more the affairs container 184 of new record.

Turn back to piece 870 among Figure 29 B, after the transaction journal of address renewal formerly was processed, logic jumped to piece 872-884 and enters piece 886.Next affairs in the affairs container 184 that the name Service manager 74 here obtains being received.Then, logic turns back to decision block 868, so that handle next transaction journal.Therefore, do not upgrade record if transaction journal is not previous address, logic enters decision block 872 from decision block 868.At this, name Service manager 74 judges whether that transaction journal is a more new record of current address.If name Service manager 74 is handled more new record of current address at piece 874.The processing current address of being realized by the name Service manager 74 more logic of new record is shown in Figure 38 in more detail.

Be appreciated that main mapping table 178 must be updated, and has been assigned to the computer that is linked on the LAN44 to reflect new IP address when more new record is received by name Service manager 74 in the current address.Corresponding current address more new record comprises the computer name of computer and has composed new or current IP address to computer.More other field in the new record can comprise data in the current address, but these data do not need effectively.

In this respect, logic starts from piece 1064 among Figure 38, then enters piece 1066, at this name Service manager 74, according to the current computer name known of new record acceptance of the bid more, in order to have the writing scan master mapping table table 178 of same computer name therewith in the current address.At decision block 1068, name Service manager 74 judges whether that this record is found in main mapping table 178 here.If do not find, more the current computer name and the invalid IP cyclic address change of new record acceptance of the bid knowledge record in the main mapping table 178 in piece 1070 name Service managers 74 usefulness current addresses.In addition, being added in the record of main mapping table 178 all, marks are eliminated.

If the main map record that comprises in the current main mapping table 178 that calculates name is positioned, if perhaps there is not this record to be found, but record is added, and logic enters decision block 1072.At decision block 1074, name Service manager 74 judges whether that main map record comprises another valid ip address that is not the current IP address more stipulated in the new record in the current address.In other words, name Service manager 74 judges whether that the computer of stipulating has different previous IP addresses in main map record.If this assignment must be removed, so that the IP address that can compose to this computer is more identified in the new record in the current address.Therefore, have in main mapping table 178 and more stipulate in the new record in the current address, other record of current IP address is processed.Upgrade record as previous address at piece 1076.According to the logic that shows among Figure 37, upgrade the result of the recording processing of record by previous address, the IP address of finding in main map record will be invalid, therefore current IP address can freely be obtained.

Return decision block 1072, if in main mapping table 178, other record that does not have current IP address, if or this record exists and has been handled suitably, logic enters piece 1076, at this, name Service manager 74 is updated in the main map record with current computer name of sign in the main mapping table 178.More particularly, there are current computer name that the current address more stipulates in the new record and current IP address to be stored in the appropriate fields in the main map record that is identified.

In case main mapping table 178 usefulness current IP address recited above is upgraded, name Service manager 74 once was the invalid address before IP address in the main map record that piece 1080 judges whether retrieving is being upgraded.If not, need not further processing, logic finishes at piece 1088, yet if previous IP address once was invalid, the change of current IP address can show that a user logins, and new record has postponed to be pointed out up to a valid ip address and generation is logined more.In this respect, logic enters decision block 1082 from decision block 1080, and at this, name Service manager 74 judges whether that having been logined mark in the quilt main map record that identifies is set up.If not, the user does not also sign in to the computer of sign, so login record is unwanted.Therefore, logic just finishes at piece 1088.Yet, being set up if in main map record, logined mark, the user logins, so it may need output one login record.Therefore, piece 1084 logic determines whether the IP address in main map record be a valid ip address now.Promptly the IP address in main map record changes effective address into from the invalid address.If not, the IP address is still invalid.Logining more, new record does not need.Yet, if the IP address is effective now, logic enters piece 1086, at this, generate in the output queue of name Service manager and store a transaction journal 183, transaction journal is identified as login record, and it comprises computer name, IP address, domain addresses and the login name that in main map record, finds.Then, logic finishes at piece 1088.

Turn back to Figure 29 B, to be recorded in piece 874 processed in case the current address is upgraded, and the next affairs in the affairs container 184 that the name Service manager obtains receiving in piece 886 are so that name Service manager 74 can be handled next transaction journal.

Turn back to decision block 872, if transaction journal is not a more new record of current address, name Service manager 74 judges whether that transaction journal is the more new record that withdraws from decision block 876.If withdraw from and upgrade that to be recorded in piece 878 processed.Withdrawing from more by the processing of name Service manager 74 realizations, the logic of new record is shown in greater detail in Figure 39.The logical renewal record comprises the login name that withdraws from the user, domain name, and computer name and user are from the IP address of its computer that withdraws from.Logic starts from piece 1090 and then enters piece 1092, and at this, name Service manager 74 scans main mapping table 178 in order to have and the record that withdraws from the same computer name that record identifies.Judge whether to find this main map record at decision block 1094 name Service managers 74.If not, name Service manager 74 adds a record and comprises and withdraw from computer name and invalid IP address to main mapping table 178.In addition, the whole marks that added in the record are eliminated.

If have and withdraw from the main mapping table 178 of being recorded in of computer name foundly, or this record has been added in the main mapping table 178, and logic enters decision block 1098, judges whether that at this name Service manager 74 mark of login of main map record is set up.In other words, name Service manager 74 judges whether that the user has signed in to the computer that identifies in the main map record.If main mapping table 178 reflection users do not sign in to computer, a unexpected user withdraws from incident and takes place so, and the name Service manager writes down this inexpectancy incident in piece 1108.Yet, if as the result of decision block 1098 of expectation just be, the user signs in to and exports in the computer that more the new record acceptance of the bid is known.Logic enters decision block 1100.Judging whether to withdraw from more new record at this name Service manager 74 promptly filters executive program 76 and once received from the static father of map information.

New record once was received from filtering executive program 76 if withdraw from more, and name Service manager 74 is allowed to withdrawing from information updating master mapping table 178.Because the map information that is provided by filtration executive program 76 allows to rewrite with the lastest imformation of filtering executive program 76.And more new record is once from the dynamic source of map information if withdraw from, and promptly domain controller agency 75 or master agent 77 receive.If the map information in main map record is not provided by the filtration executive program 76 at first place, name Service manager 74 will only be allowed to withdrawing from information updating master map record.In other words, by static father, it is that the map information that territory control agent 75 or master agent 77 provide rewrites that the map information that filtering executive program provides does not allow with dynamic source.Therefore, if the result of decision block 1100 just is, main map record is upgraded with withdrawing from computer name and the IP address of upgrading recording prescribed, and simultaneously, login name in main map record and domain name are cleared at piece 1102.In addition, mark and static father mark have been logined in removing.Then, at piece 1104, name Service manager 74 generates and storage be designated withdraw from new record more transaction journal in the output queue of name Service manager, comprise coming the map information of autonomous map record in the transaction journal.

Turn back to decision block 1100, new record does not receive from static father if withdraw from more, and the name Service manager must judge that the map information in main map record still is that static father provides by dynamic source initially.If provided by dynamic source, if the static father mark promptly in main map record is not set up, main map record is updated in piece 1102 as mentioned above, and piece 1104 withdraw from the record be stored in the output queue.On the other hand, if the map information in main map record was once provided by dynamic source, promptly the static father mark is set up in main map record, and logic jumps to piece 1102 and 1104, and main map record is not updated, and withdraws from record and does not produce.Logic just enters decision block 1110.At decision block 1110, name Service manager 74 judges whether that the IP address in the main map record changes during withdrawing from the renewal recording processing.If new IP address is provided, therefore at piece 1112, main map record must more new record be processed as the current address according to the logic shown in Figure 38.If more new record is processed as the current address if the IP address does not have change or main map record, logic finishes at piece 1114.

Name Service manager 74 turns back to Figure 29 B, withdrawing from transaction journal after piece 878 is processed, obtain next affairs in the affairs container 184 that the name Service manager receives in piece 886, so that can be handled next transaction journal 183.

Turn back to decision block 876, if transaction journal 183 is not to withdraw from more new record, name Service manager 74 judges whether that at decision block 880 transaction journal 183 is to login more new record.If name Service manager 74 is handled at piece 882 and is logined more new record.The logic of the processing login record of being realized by name Service manager 74 is shown in detail in Figure 40 A and 40B.Login login name and domain name, the computer name of the computer that the user signs in to and IP address that new record more comprises positive login user.Logic starts from piece 1116 among Figure 40 A, then enters piece 1118, stores record that computer name arranged in order to login more in the new record at this name Service manager 74, scans main mapping table 178.At decision block 1120, whether name server 74 has found this main map record to logic determines in main mapping table 178.If not, name Service manager 74 adds a record in the main mapping table 178 at piece 1122, comprises log into thr computer name and an invalid IP address.In addition, being added in the record all, marks are eliminated.

If having one of log into thr computer name is recorded in the main mapping table 178 found, if or this record has been added to main mapping table 178, logic enters piece 1124, at this, name Service manager 74 judges whether that the IP address in logining new record more is to be different from the IP address that identifies in the main map record, if or the IP address that identifies in login record is new IP address, it can not be found in main mapping table 178.If run into this any situation, so at main map record with login the computer that computer name the identified designated one new IP address of storing in the new record more, and main mapping table 178 must corresponding renewals.And, for avoiding unnecessary processing, judge at decision block 1126 name Service managers 74 whether this login IP address is effective before further handling new IP address.Therefore, if but this login IP address is new or has changed effectively that login is upgraded and is recorded in that more new record is processed as the current address in the piece 1128.The result of logic as shown in Figure 38, the main map record that has the computer name of regulation in logining new record more is updated to login IP address.

In that to login more new record processed as the current address more behind the new record, logic enters decision block 1130.At decision block 1130, name Service manager 74 was judged before the current address is upgraded, the static father of main map record marks whether once to be set up, promptly the map information that whether finds in main map record is that executive program 76 original providing promptly are provided for the static father of map information, if, once provided by filtering executive program 76 if login more new record, name Service manager 74 will only allow main map record with the whole rewriting of new log-on message.In this respect, name Service manager 74 judges in decision block 1132, whether logins that more new record is from the dynamic source of map information, and for example the domain controller agency 75, rather than filter executive program 76.If name Service manager 74 usefulness are logined the login name that more new record acceptance of the bid is known by the login name rewriting of finding in the executive program 76 original main map records that provide is provided.

Turn back to decision block 1124, if the IP address in logining new record more is identical with in the main map record, if or it is invalid, do not need to handle and login more new record, and logic directly enters decision block 1136 among Figure 40 B as current address new record more.In addition, reference block 1130, if map information is not to provide by static father is original in main map record, if or login more new record and do not receive from dynamic source, just do not need to be overwritten in and login the login name of stipulating in the new record more, and logic also directly enters decision block 1136.

At decision block 1136, the logic determines whether current static father mark in main map record is set up (if the map information promptly in record once provided by filtering executive program 76), and whether login more new record once from dynamic source, for example domain controller agency 75 receives.If the map information in main map record can not rewrite with the map information of logining in the new record more, logic is in piece 1138 end like this.Otherwise logic enters decision block 1140, judges whether that wherein other user is logged same computer.More particularly, name Service manager 74 judges whether that the login name that main map record comprises is not the login name that upgrades recording prescribed by withdrawing from.If like this, other main map record withdraws from renewal as the user in that piece 1142 is processed, so that main mapping table 178 other users of reflection withdraw from.

If the result of decision block 1140 is negative, if or main map record be treated to and withdrawed from more new record, logic enters decision block 1144.At decision block 1144, the name Service manager judges whether to have signed in to the computer that record identification is upgraded in login the user who logins more new record acceptance of the bid knowledge.In other words, name Service manager 74 judges whether that the login mark in main map record is set up.If logic just finishes at piece 1146.

Turn back to decision block 1144, if be not logged in the same computer logining the user that the acceptance of the bid of new record more knows, logic judges at piece 1148, and the IP address that provides in logining new record more is invalid.If login is upgraded the IP address that is recorded in the main map record of piece 1150 usefulness and is upgraded.

Turn back to decision block 1148, if the IP address that provides in logining new record more is effective, logic enters piece 1152.At piece 1152, name Service manager 74 usefulness are logined the computer name of stipulating in the new record more, IP address, the main map record that login name and domain name are upgraded.In addition, logined that mark is set up and the static father mark is set to remove that to login more the source of new record with reflection be that dynamic source such as domain controller 75 or static father are as filtering executive program 76.Then, at decision block 1154, name Service manager 74 judges whether that the IP address is effective in the main map record of piece 1152 renewals, if not, 74 delays of name Service manager generate and output login renewal records the name Service application, up to as mentioned above, compose to a valid ip address at the current address reproducting periods.Therefore, finish in piece 1158 logics.And if the IP address in main map record is effective, more new record is logined in the 74 last formation one of name Service manager, comprising computer name, and the IP address, domain name, and, come the login name of autonomous map record at piece 1156.Logic finishes at piece 1158 then.

When the preferred embodiments of the present invention have been illustrated and have illustrated, should be appreciated that wherein can make various variations, this does not violate scope and spirit of the present invention.For example, if being linked to internet (80) network supervisor 80, LAN44 not can be used in the activity of only managing intranet.Promptly manage the communication of the packet between the computer that only is linked on the LAN44.

Claims

1. but computer-readable medium with computer executive module, but executive module is used for the communication of packet between management enterprise in-house network and the internet, intranet connects a large amount of computers through communication media, comprises but the internet connects the computer-readable medium that a large amount of intranets have the computer executive module through communication media:

(a) graphic user interface is used to make the keeper of the computer of linking intranet to import following information:

(i) sign is linked each user's the user profile of the computer of intranet;

(ii) be each identifying user and the map information of linking every computer of intranet; And

(iii) handle the subscriber policy of the data packet communication between identifying user and the internet for each identifying user;

(b) database is used for using graphic user interface to store the user profile that is offered each identifying user by the keeper, map information and subscriber policy;

(c) one filter executive program, be used for optimizing the rule set that subscriber policy changes into each identifying user for each identifying user that is stored in the database.

(d) filter engine is used for filtering the packet of communicating by letter according to filtering executive program for the rule set of each identifying user optimization and the map information of each identifying user between intranet and internet; And

(e) a name Service manager is used for upgrading the map information that is used each identifying user of graphic user interface input by the keeper.

2. according to the computer-readable medium of claim 1, wherein the map information of each identifying user comprises:

(a) computer is to user's mapping, the login name of its sign identifying user, and the computer name of the computer that is assigned to of identifying user; And

(b) computer is to the mapping of address, and it identifies by the computer name of the assigned computer of identifying user and the Internet Protocol address of computer.

3. according to the computer-readable medium of claim 2, filter engine filtering data bag wherein, this by means of:

For each packet of communicating by letter between intranet and the internet,

(a) scan each user's map information, give the user Internet Protocol address of one mapping computer respectively, this address and the computer address coupling of once sending this packet.

(b) to being assigned to the identifying user of mapping computer, packet and rule set are compared; And

(c) if at least one rule of data packet matched rule set, for this at least one rule is returned filter result, wherein, filter result indicates whether that filter engine refusal transmits this packet.

4. according to the computer-readable medium of claim 3, if packet at least one rule of rule set that do not match wherein, also be filtered into the default result data bag that this at least one rule is returned at filter engine, default result wherein indicates whether that the filter engine refusal transmits this packet.

5. according to the computer-readable medium of claim 4, if when wherein the Internet Protocol address of mapping computer does not find the address that is matched with the computer that once sent packet therefrom, filter engine also returns default result.

6. according to the computer-readable medium of claim 5, filter result wherein and default result indicate whether that also filter engine should write down this packet.

7. according to the computer-readable medium of claim 5, filtering result wherein and default result also indicate whether to be assigned to the identifying user of mapping computer, its Internet Protocol address is matched with the address that once sent the computer of packet therefrom, notification data bag concentrated at least one rule of matched rule.

8. according to the computer-readable medium of claim 2, wherein for each identifying user by each subscriber policy of keeper's input comprise following at least one:

(a) a file type strategy indicates whether that the file with specific file extension can communicate by letter between identifying user and internet;

(b) an application protocol strategy, indicating whether that a specific application protocol is used between identifying user and the internet transmits data;

(c) a station strategy indicates whether that identifying user can be located on the certain computer station communication in the internet; And

(d) a quota strategy, how many data indication has to communicate by letter between identifying user and internet in given interval.

9. computer-readable medium according to Claim 8, wherein database periodically breaks rules for an identifying user with quota strategy calculates quota, wherein quota breaks rules and indicate whether that excess data communicates by letter between identifying user and internet, wherein to the following calculating that breaks rules of the quota of each identifying user with quota strategy:

(a) be accumulated in during the given interval sum of each packet data byte of communicating by letter between identifying user and the internet; And

(b) data byte and compare with the quota strategy of identifying user.

10. according to the computer-readable medium of claim 2, in the root group that graphic user interface wherein also allows the keeper to go the organization identification user to become to have to comprise whole identifying users and the component layers of big quantum group, each son group comprises an identifying user at least.

11. computer-readable medium according to claim 10, graphic user interface wherein also allows the keeper to remove to import at least one subscriber policy as group policy, group policy is wherein used in the face of component layers, so that each identifying user that is included in the group is inherited this group policy.

12. according to the computer-readable medium of claim 11, if when wherein the group policy of being inherited by identifying user is with the subscriber policy conflict of identifying user, database solves this conflict, so that has only one of subscriber policy and group policy to be used in the face of the user.

13. according to the computer-readable medium of claim 12, wherein database is prepared user and the group policy by keeper's input, by the optimization of filtration executive program, by means of:

(a) collect whole subscriber policys of importing for each identifying user;

(b) collect whole input group policies that each identifying user is inherited;

(c) store each group policy of each identifying user and each subscriber policy, will be directly used in the face of identifying user as each user's strategy.

14. computer-readable medium according to claim 13, wherein filter executive program and optimize each subscriber policy, by the corresponding unique user strategy that stores in database according at least one, each rule of definition rule set becomes the rule set of each identifying user.Wherein how each rule domination filter engine filters the packet of matched rule.

15. according to the computer-readable medium of claim 14, wherein each rule in the rule set of each identifying user comprises one of following at least:

(a)-and the file extent rule, the matched data bag how its domination filter engine filters at identifying user and communicate by letter between the internet of information in comprising from the file with specific file extent;

(b)-and the application protocol rule, how its domination filter engine filters at identifying user and adopts the matched data bag of communicating by letter between the internet of application-specific agreement; And

(c)-and the website and the protocol rule of combination, how its domination filter engine is filtered at identifying user and is adopted the matched data bag of communicating by letter between the particular internet station of application-specific agreement.

16. according to the computer-readable medium of claim 2, wherein graphic user interface also allows the keeper to import the system strategy of whole identifying users of handling the data packet communication between whole identifying users and the internet.

17. according to the computer-readable medium of claim 16, wherein system strategy comprises the system default strategy, wherein the system default strategy comprises:

(a) allow Write strategy, indicate whether that filter engine will go the record filtering engine to allow data packets transmitted between intranet and internet;

(b)-and the analog rule implementation strategy, indicate whether that filter engine will be according to the user policy collection of each identifying user, analogue data packet filtering; And

(c) fault message policies indicates whether that filter engine will send message to identifying user, and no matter indication is filter engine filtering data bag how.

18. according to the computer-readable medium of claim 17, its middle filtrator executive program optimization system default policy becomes the system default rule set of whole identifying users, this by means of:

(a) from fault message policies definition Log-on-off rule, arrange whether filter engine wants the record filtering engine to allow data packets transmitted between intranet and internet;

(b) from analog rule implementation strategy definition Log-no-block rule, whether arranging filter engine will be according to record and Data transmission bag, for the user policy collection of each identifying user goes the analogue data packet filtering, is indifferent to how filtering data bag of filter engine; And

(c), whether arrange filter engine and will send a message to how filtering data bag of identifying user indication filter engine from fault message policies definition notify-no-notify rule.

19. computer-readable medium according to claim 18, wherein system strategy also comprises the global network protocol strategy, and each global network protocol strategy wherein indicates whether that a specific network protocol is used between whole identifying users of a large amount of computers of linking intranet and the internet and transmits data.

20. according to the computer-readable medium of claim 19, its middle filtrator executive program is optimized immigration and the departure global network protocol rule collection that global network protocol strategy becomes whole identifying users, this by means of:

(a) from each global network protocol strategy definition immigration global network protocol rule, how the domination filter engine filters is used specific network protocols, the packet of communication from the internet to the identifying user; And

(b) from each global network protocol strategy definition departure global network agreement, how the domination filter engine filters is used specific network protocols, the packet from the identifying user to the Internet traffic.

21. computer-readable medium according to claim 20, system strategy wherein also comprises the time scheduling strategy, wherein each time scheduling strategy indication is during time scheduling, and data can be used the application-specific agreement, is all communicating by letter between identifying user and the internet.

22. computer-readable medium according to claim 21, wherein filter executive program and optimize the time scheduling strategy, according to each time scheduling policy definition time rule, become the time rule collection of whole identifying users, how the domination filter engine uses specific application protocol, the packet of communicating by letter between specified time interval inner filtration identifying user and internet.

23. according to the computer-readable medium of claim 2, wherein name Service manager upgrades map information, this by means of:

(a) when identifying user is logined and withdrawed from the computer of linking intranet, collect the mapping that the computer that upgrades arrives the user; And

(b) act on behalf of of the mapping of the computer of the renewal of collecting according at least one name Service, substitute the mapping of chip jewelry to the user by filtering executive program to the user.

24. according to the computer-readable medium of claim 23, wherein the name Service manager upgrades map information for each identifying user, by means of:

(a) when the address change of at least one computer that identifying user distributed, collect the mapping of the computer that upgrades to the address.

(b) act on behalf of of the mapping of the computer of the renewal of collecting according at least one name Service, substitute the mapping of chip jewelry to the address by filtering executive program to the address.

25. computer-readable medium according to claim 1, wherein a lot of keepers allow to import user profile with graphic user interface, map information, and subscriber policy, and wherein each keeper is assigned with a supervisory level, to determine the user profile of what type, map information and subscriber policy allow this keeper to import with graphic user interface.

26. a device that is used for data packet communication between management enterprise in-house network and the internet, intranet connects a large amount of computers through communication media, and the internet connects a large amount of intranets through communication media, and this device comprises:

(a) storage medium of using for the following content of storage:

(i)-database, the user profile that comprises each user of the computer of linking intranet, map information and strategy, wherein user profile identifies each user, wherein map information is mapped to each user and links on the online computer of enterprises, and the wherein tactful communication of handling packet between each user and the internet;

(ii)-and filter executive program, optimize each user's who is stored in the database subscriber policy, become a line user's rule set;

(iii)-and filter engine, according to by each user's who filters executive program optimization rule set and each user's map information, filter the packet of between intranet and internet, communicating by letter; And

(iv)-and the name Service manager, be used for upgrading map information for each user; And

(b)-and processing unit, electronics coupled is to storage medium, is used for the execution of program instructions maintenance data base, realizes the filtering executive program, realizes the filtering engine and realizes the name Service manager.

27. according to the device of claim 26, map information wherein is mapped to each user on the computer of linking intranet, comprising:

(a) computer arrives user's mapping, the login name of identifying user and the computer name of distributing to user's computer; And

(b) computer is to the mapping of address, and sign is distributed to the computer name of user's computer and the Internet Protocol address of this computer.

28. according to the device of claim 27, processing unit execution of program instructions wherein makes filter engine remove the filtering data bag, by means of: be each packet of communicating by letter between intranet and the internet,

(a) scan each user's map information, give the user Internet Protocol address of one mapping computer respectively, this address and the computer address coupling of once sending this packet;

(b) to being assigned to the user of mapping computer, packet and rule set are compared; And

(c) if at least one rule in the data packet matched rule set is that at least one rule is returned filter result, wherein filter result indicates whether that filter engine refuses the transmission of this packet.

29. device according to claim 28, if packet at least one rule of rule set that do not match wherein, the processing unit execution of program instructions makes filter engine return default result at least one rule, with further filtering data bag, default result wherein indicates whether that the filter engine refusal transmits this packet.

30. according to the device of claim 30, wherein, if find the Internet Protocol address of mapping computer with once from the matching addresses of the computer that wherein sends packet, filter engine also returns default result.

31. according to the device of claim 30, filter result wherein and default result indicate whether that also filter engine will remove to write down this packet.

32. device according to claim 30, filter result wherein and default result also indicate whether to notify and be assigned to the mapping computer, and its Internet Protocol address coupling once therefrom sent the user of the computer address of packet: this packet has mated one of rule in the rule set at least.

33. according to the device of claim 27, also comprise input equipment, be used to allow the keeper import each user's user profile, map information and strategy.

34. according to the device of claim 33, the root group that input equipment wherein also allows the keeper to organize the user to become to have to comprise whole users and the group system of big quantum group, each son group comprises a user at least.

35. according to the device of claim 34, input equipment wherein also allows the keeper, and input face is to each user's a subscriber policy at least, subscriber policy is wherein handled the communication of packet between user and the internet.

36. device according to claim 35, input equipment wherein also allows the keeper to import a group policy at least, group policy wherein is used for a group in the face of level, so that each user who is included in the group inherits group policy, and group policy is wherein handled the communication of packet between each user be included in the group and the internet.

37. according to the device of claim 36, if wherein the group policy of being inherited by the user is conflicted mutually with user's subscriber policy, database solves this conflict, so that have only one of subscriber policy and group policy to be used in the face of this user.

38. device according to claim 36, processing unit execution of program instructions wherein, make the filtration executive program go to optimize subscriber policy and group policy, by each rule according to corresponding at least one rule set of unique user policy definition that in database, stores, become each user's rule set, how each rule domination filter engine wherein filters the packet of the matched rule of communicating by letter between user and internet.

39.,, comprise one of following at least wherein from each user policy of each subscriber policy and the definition of each group policy according to the device of claim 38:

(a) file type strategy indicates whether that the file with specific file extent can communicate by letter between user and internet;

(b) application protocol strategy indicates whether can communicate by letter between user and internet with the information of application-specific protocol transmission;

(c) site policy, indicate whether information can the user with between the certain computer website on the internet, communicate by letter;

(d) quota strategy, how much information indication has to communicate by letter between user and internet in given interval.

40. according to the device of claim 39, wherein the processing unit execution of program instructions makes and filters executive program for each user sets up the user policy collection, comprising:

(a) according to each file type policy definition file extent rule, wherein whether the domination of file extent rule comprises from the packet with specific file extent fileinfo and can communicate by letter between user and internet;

(b) according to each application protocol strategy, definition application protocol rule, wherein whether the domination of application protocol rule can communicate by letter between user and internet with the packet of application-specific protocol communication; And

(c) according to each site policy and application protocol strategy, the website of combination and protocol rule, wherein, the website of combination and protocol rule arrange whether packet can be communicated by letter between identifying user and the certain computer website in the internet.

41. device according to claim 40, wherein in the root group that input equipment also allows the keeper to import to be included in system layer, be fit to system default set of strategies in the face of whole users, wherein, each system default strategy indicates whether that certain information can communicate by letter between Any user in being included in the root group and internet.

42. device according to claim 41, wherein the processing unit execution of program instructions makes and filters executive program according to the system default set of strategies, for the whole users in the root group that is included in system layer set up the system default rule set, wherein, the system default rule set domination packet that whether comprises said information can be communicated by letter between any user who is included in the root group and internet.

43. device according to claim 42, wherein in the root group that input equipment also allows the keeper to import to be included in system layer, be fit to the global network set of strategies in the face of whole users, wherein each global network strategy indicates whether that certain information can and use between the internet of specific network protocols and communicate by letter in the Any user in being included in the root group.

44. device according to claim 43, processing unit execution of program instructions wherein, make and filter executive program according to the global network set of strategies, for the whole users that are included in the system layer root group set up global network protocol rule collection, wherein the global network rule set domination packet that whether comprises said information can and use between the internet of specific network protocols and communicate by letter in the Any user in being included in the root group.

45. device according to claim 44, wherein input equipment also allows the keeper to import to be included in the time scheduling set of strategies in the face of whole users of being fit in the system layer root group, each time scheduling strategy indication is wherein communicated by letter between the internet of Any user that some information can comprise in the root group and use application-specific agreement during time scheduling.

46. device according to claim 45, processing unit execution of program instructions wherein makes filters executive program according to the time scheduling set of strategies, for being included in whole user rule set settling time in the system layer root group, wherein, the time rule collection indicates whether to comprise the Any user that the packet of said information can comprise and communicates by letter between the internet that uses the application-specific agreement during the time scheduling in the root group.

47. according to the device of claim 27, processing unit execution of program instructions wherein makes the name Service manager remove to upgrade map information, this by means of:

(a) collect the mapping that the computer that upgrades arrives the user; And

(b) act on behalf of of the mapping of the computer of the renewal of collecting according at least one name Service, substitute the mapping of chip jewelry to the user with the filtration executive program to the user.

48. according to the device of claim 47, processing unit execution of program instructions wherein makes the name Service manager remove to upgrade map information, this by means of:

(a) collect the mapping of upgrading that calculates the address; And

49. the method for information communication between a large amount of computer users that are used for managing linking intranet and the internet, wherein the internet connects a large amount of intranets, and this method comprises:

(a) identify each user who links the online a large amount of computers of enterprises;

(b) shine upon each user continuously to linking at least one the online computer of enterprises:

(c) set up the user policy collection for each user who handles information communication between user and the internet; And

(d) according to each user's user policy collection, filter the information of communicating by letter between online a large amount of computer users of enterprises and the internet of linking.

50. according to the method for claim 49, wherein each user is mapped at least one the computer, this by means of:

(a) with host name and this at least one computer of address designation; And

(b) distribute at least one the computer that is identified to give the user.

51. according to the method for claim 50, also will be added to each user in the group system layering that comprises a group and big quantum group, root group wherein comprises each user, and wherein each son group comprises a user at least.

52. according to the method for claim 51, also comprise at least one subscriber policy of using facing to each user, subscriber policy wherein indicates whether that some information can communicate by letter between user and internet.

53. method according to claim 52, also comprise with at least one group policy in the face of the system layer group, so that each user who is included in the system layer group inherits group policy, wherein group policy indicates whether that some information can communicate by letter between user and internet.

54., wherein comprise for each user sets up the user policy collection according to the method for claim 53:

(a) according to each subscriber policy definition user policy of using in the face of the user, wherein whether user policy is arranged the packet of information and can be communicated by letter between user and internet; And

(b) each group policy of inheriting according to the user, the definition user policy, wherein whether user policy is arranged the packet of information and can be communicated by letter between user and internet.

55.,, comprise one of following at least wherein according to the user policy of subscriber policy definition according to the method for claim 54:

(a) file type strategy indicates whether that the file with specific file extension can communicate by letter between user and internet;

(b) application protocol strategy indicates whether to use the information of application-specific protocol transmission to communicate by letter between user and internet;

(c) site policy indicates whether that information can communicate by letter the user with between computer website specific on the internet.

56. according to the method for claim 55, wherein the user policy collection of setting up for each user comprises:

(a) according to each file strategy, the defined file extension rule, whether file extent rule domination wherein comprises from the packet of information in the file with specific file extent and can communicate by letter between user and internet;

(b) according to each application protocol strategy, definition application protocol rule, whether application protocol rule domination wherein uses the packet of application-specific protocol communication to communicate by letter between user and internet; And

(c) according to the website and the protocol rule of each site policy and the combination of application protocol strategy, wherein Zu He website and protocol rule arrange whether packet can be communicated by letter between identifying user and the certain computer station in the internet.

57. method according to claim 54, also comprise with being included in the system layer root group, be fit to all the system default set of strategies in the face of the user, wherein each system default strategy indicates whether that certain information can communicate by letter between Any user in being included in the root group and internet.

58. method according to claim 57, also comprise according to the system default set of strategies, be the whole users in the root group that is included in system layer, the system default rule set, wherein, setting up the packet whether system default rule set domination comprise said information can communicate by letter between any user who comprises the root group and internet.

59. method according to claim 58, also comprise with being included in the root group of system layer, be fit to the global network set of strategies in the face of whole users, wherein each global network strategy indicates whether that certain information can and use between the internet of specific network protocols and communicate by letter in the Any user in being included in the root group.

60. method according to claim 59, comprise that also whole users set up immigration and departure global network protocol rule collection in the system layer root group in order to be included in according to the global network set of strategies, whether the global network rule set of wherein entering a country arranges that the packet of information uses specific network protocol, can be from the internet to being included in the Any user communication the root group; And the global network rule of wherein leaving the country is arranged, and the packet of information can be from the Any user being included in the root group to the Internet traffic of using specific network protocol.

61. method according to claim 60, also comprise and use the time scheduling set of strategies that the root group that is included in system layer is fit to face whole users, wherein the indication of each time scheduling strategy is during time scheduling, and some information can and be used between the internet of specific application protocol and communicate by letter in the Any user in being included in the root group.

62. method according to claim 61, comprise that also according to the time scheduling strategy be whole user rule set settling time that is included in the system layer root group, wherein the time rule collection comprises immigration global network rule set and departure global network rule set, and the domination of the time rule wherein packet that whether comprises said information can coexist in the Any user in being included in the root group and communicates by letter between the internet with the application-specific agreement during the time scheduling.

63., wherein filter the information of between a large amount of computer users that link intranet and internet, communicating by letter and comprise according to the method for claim 62:

(a) intercepting comprises the packet of information, as the packet of communicating by letter between user and internet;

(b) if immigration global network protocol rule collection has been that whole users set up, packet is compared with immigration global network protocol rule collection;

(c), indicate whether that refusal transmits this packet if data packet matched at least one immigration global network protocol rule returns filter result; And

(d) the immigration global network protocol rule of at least one if packet does not match returns default result, indicates whether that refusal transmits this packet.

64., wherein filter the information of between a large amount of computer users that link intranet and internet, communicating by letter and also comprise according to the method for claim 63:

(a) if immigration global network protocol rule collection also is not that whole users set up, the global network protocol rule collection that judges whether to leave the country is set up for whole users;

(b), packet and departure global network protocol rule collection are compared if departure global network protocol rule collection has been that whole users set up;

(c) if data packet matched at least one departure global network protocol rule returns filter result and indicates whether that refusal transmits this packet; And

(d) the departure global network protocol rule of at least one if packet does not match returns default value and indicates whether that refusal transmits this packet.

65., wherein filter the information of between a large amount of computer users that link intranet and internet, communicating by letter and also comprise according to the method for claim 64:

(a) if departure global network protocol rule collection also is not that whole users set up, with the user policy collection relatively packet;

(b) if packet at least one user policy in the match user rule set at least returns filter result, indicate whether that refusal transmits this packet; And

(c) user policy is concentrated at least one user policy if packet does not match, and returns default result, indicates whether that refusal transmits this packet.

66., wherein packet and user policy collection are relatively comprised according to the method for claim 65:

(b) to being assigned to the user of mapping computer, packet and rule set are compared.

67. according to the method for claim 66, wherein filtering information also comprise if send the address of the computer of this packet do not match the mapping computer Internet Protocol address return default result.

68., also comprise and when the user withdraws from least one computer that the user is assigned with, upgrade map information according to the method for claim 49.

69. according to the method for claim 68, also comprise when the user signs in to another computer, upgrade map information.

70. according to the method for claim 69, also comprise when at least one the computer address that is assigned with as the user changes, upgrade map information.